Virus:TR/Virtumonde.26730
Date discovered:02/04/2007
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:26730 Bytes
MD5 checksum:731396df61f1cedc2b70ab33ebb0c0b3
VDF version:6.38.00.161
IVDF version:6.38.00.165 - Tuesday, April 3, 2007

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\%five-digit random character string%.dll




It tries to download a file:

– The location is the following:
   • http://89.188.16.15/ths/lo1.dll**********
It is saved on the local hard drive under: %SYSDIR%\%five-digit random character string%.dll Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\
   Settings]
   • "Time"=%current time%

– [HKCR\CLSID\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}\InprocServer32]
   • @="%malware execution directory%\%executed file%"
   • "ThreadingModel"="Both"

– [HKCU\Software\Microsoft\Installer]
   • @=%hex number%

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   ShellExecuteHooks]
   • "{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   %executed file%]
   • "Asynchronous"=dword:00000001
   • "DllName"="%executed file%"
   • "Impersonate"=dword:00000000
   • "Logon"="Logon"
   • "Logoff"="Logoff"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   • "GlobalUserOffline"=dword:00000000



The following registry keys are changed:

Lower security settings from Internet Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Old value:
   • "1A10"=%user defined settings%
     "{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=%user defined settings%
   New value:
   • "1A10"=dword:00000000
     "{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=%hex number%

 Backdoor Contact server:
The following:
   • http://65.243.103.80/80/67247**********&t=%current date%**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.

 Injection – It injects itself into a process.

    All of the following processes:
   • Explorer.exe
   • Winlogon.exe
   • %processes that have visible windows%


 Miscellaneous Mutex:


It creates one of the following Mutexes:
   • _ConsprMutx
   • awx_mutant

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Thursday, April 19, 2007
Description updated by Monica Ghitun on Thursday, April 19, 2007

Back . . . .