Virus:TR/Dldr.CWS.h.1.B
Date discovered:19/09/2005
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:13.824 Bytes
MD5 checksum:3bb19c92f33d0b89cf823bacea72efa9
VDF version:6.32.0.38

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.CWS.h
   •  TrendMicro: TROJ_DLOADER.ABQ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\inetdata\services.exe



A section is added to a file.
– To: %WINDIR%\system.ini With the following contents:
   • load=%WINDIR%\inetdata\services.exe
     




The following file is created:

%WINDIR%\inetdata\tmp



It tries to download some files:

– The location is the following:
   • traff-**********.com/ef.exe
It is saved on the local hard drive under: %WINDIR%\ef.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.CWS.C.2


– The location is the following:
   • traff-**********.com/killer.exe
It is saved on the local hard drive under: %WINDIR%\skiller.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.CWS.A


– The location is the following:
   • traff-**********.com/socks5.exe
It is saved on the local hard drive under: %WINDIR%\winsocks5.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Proxy.Small.bt.3


– The location is the following:
   • **********.com/mm.exe
It is saved on the local hard drive under: %WINDIR%\mm1.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.CWS.h.2


– The location is the following:
   • traff-**********.com/gallerys/xpsystem/3.00.09.dll
It is saved on the local hard drive under: %WINDIR%\inetdata\3.00.09.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Delf.BV.1

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "xp_system"="%WINDIR%\inetdata\winlogon.exe"

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "xp_system"="%WINDIR%\inetdata\winlogon.exe"



It registers a browser helper object (BHO) by adding the following key:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
   • @=""



The following registry keys are added:

– HKCU\Software\Microsoft\Internet Explorer\Main
   • "Enable Browser Extensions"="yes"

– HKCR\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
   • @="HBO Class"

– HKCR\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32
   • @="%WINDIR%\inetdata\3.00.09.dll"
   • "ThreadingModel"="Apartment"

– HKCR\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\ProgID
   • @="Replace.HBO.1"

– HKCR\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\Programmable
   • @=""

– HKCR\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\TypeLib
   • @="{516A36EA-AFE2-4965-A492-B198B7F7B018}"

– HKCR\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\
   VersionIndependentProgID
   • @="Replace.HBO"

– HKCR\Replace.HBO
   • @="HBO Class"

– HKCR\Replace.HBO\CLSID
   • @="{5321E378-FFAD-4999-8C62-03CA8155F0B3}"

– HKCR\Replace.HBO\CurVer
   • @="Replace.HBO.1"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "run"="%WINDIR%\inetdata\winlogon.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
   • "state"=%random character string%

 Backdoor Contact server:
All of the following:
   • traff-**********.com/affiliate/interface.php?
   • traff-**********.com/affiliate/counter.php?

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Platform ID
    • Users' local activity

 Miscellaneous Mutex:
It creates the following Mutexes:
   • userenv: machine policy mutex
   • userenv: user policy mutex

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Irina Boldea on Monday, September 19, 2005
Description updated by Irina Boldea on Tuesday, September 27, 2005

Back . . . .