Virus:TR/TComBill.O
Date discovered:21/04/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:10.240 Bytes
MD5 checksum:79a56b6e3fdaf3d7fa6950e754cfa348
VDF version:6.34.00.214

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.Small.coq
   •  TrendMicro: TROJ_DLOADER.DAY
   •  Bitdefender: Trojan.Downloader.Small.COQ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Third party control

 Files It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\sysldr.dll Further investigation pointed out that this file is malware, too. Detected as: TR/TComBill.O.2

 Registry The value of the following registry key is removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • sysldr



The following registry key is added:

– [HKCR\CLSID\{%generated CLSID%}\InprocServer32]
   • @ = sysldr.dll



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad]
   New value:
   • sysldr = {%generated CLSID%}

 Backdoor Contact server:
One of the following:
   • http://dynafilmes.com.br/imagens/**********
   • http://soloaguia.com/imagens/**********
   • http://www.chiefmar.com/Images/**********
   • http://www.computerideasrl.it/immagini/**********
   • http://www.barpel.it/images/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file
    • Execute file

 Injection –  It injects the following file into a process: %SYSDIR%\sysldr.dll

    Process name:
   • svchost.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, April 25, 2006
Description updated by Andrei Gherman on Tuesday, April 25, 2006

Back . . . .