Virus: TR/Drop.Bomka.G.2 Date discovered: 09/02/2006 Type: Trojan Subtype: Dropper In the wild: No Reported Infections: Low Distribution Potential: Low Damage Potential: Low to medium Static file: Yes File size: 185.953 Bytes MD5 checksum: 141dd10Ecaaffae90828993c1f2aab70 VDF version: 6.33.00.212
General Method of propagation: • No own spreading routine Aliases: • Mcafee: AdClicker-DW • TrendMicro: TROJ_BOMKA.G • Sophos: Troj/Bombka-F • Panda: Trj/Dropper.QN • Bitdefender: Trojan.Downloader.Bomka.G Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP Side effects: • Drops files • Drops a malicious file • Registry modification • Steals information Files The following files are created: – A file that is for temporary use and it might be deleted afterwards: • %TEMPDIR% \ns%random character string% .tmp – %SYSDIR% \kaboom.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Bomka.G – %TEMPDIR% \game1.exe Furthermore it gets executed after it was fully created. Registry It registers a browser helper object (BHO) by adding the following keys: – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}] – [HKCR\Horde.Labspak] • @="Labspak" – [HKCR\Horde.Labspak\CLSID] • @="{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}" – [HKCR\Horde.Labspak\CurVer] • @="Horde.Labspak.1" – [HKCR\Horde.Labspak.1] • @="Labspak" – [HKCR\Horde.Labspak.1\CLSID] • @="{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}" – [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}] • @="Labspak" – [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\InprocServer32] • @="%SYSDIR% \kaboom.dll" • "ThreadingModel"="Apartment" – [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\ProgID] • @="Horde.Labspak.1" – [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\Programmable] – [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\TypeLib] • @="{90EC7761-4998-4536-B4D7-9EB72ADB3042}" – [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\ VersionIndependentProgID] • @="Horde.Labspak" – [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0] • @="KABOOMLib" – [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\0\win32] • @="%SYSDIR% \kaboom.dll" – [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\FLAGS] • @="0" – [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\HELPDIR] • @="%SYSDIR% \" The following registry keys are added: – [HKLM\SOFTWARE\Microsoft\Zeal] • "campaign_id"="18" • "is_dialup"=dword:%hex number% • "user_id"="%six-digit random character string% " • "sleep_delay"=dword:%hex number% • "install_delay"=dword:%hex number% • "main_delay"=dword:%hex number% • "stage"=dword:%hex number% • "timeout"=dword:%hex number% – [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}] • @="ILabspak" – [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\ ProxyStubClsid] • @="{00020424-0000-0000-C000-000000000046}" – [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\ ProxyStubClsid32] • @="{00020424-0000-0000-C000-000000000046}" – [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\TypeLib] • @="{90EC7761-4998-4536-B4D7-9EB72ADB3042}" • "Version"="3.0" Backdoor Contact server: One of the following: • joywebserfer.com/counter11/********** • cleverhead.info/counter11/********** • wannabcool.info/counter11/********** • somethngcool.info/counter11/********** • sortbycool.info/counter11/********** • mucho-cool.com/counter11/********** • epromosystems.com/counter11/********** The following: • mucho-cool.com/counter11/********** As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script. The servers answer is written to the file: %TEMPDIR% \s32o.%random number% Sends information about: • Computer name • Current user • Internet connection type • Platform ID Remote control capabilities: • Visit a website Injection – It injects the following file into a process: kaboom.dll Process name: • iexplore.exe File details Programming language: The malware program was written in MS Visual C++. Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer: • UPX
Description inserted by Daniel Constantin on Tuesday, February 14, 2006 Description updated by Daniel Constantin on Tuesday, February 14, 2006
Back
.
.
.
.