Virus:TR/Fotomoto.E
Date discovered:29/08/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:75.284 Bytes
MD5 checksum:1ffd1d03db9b66987c6875f5981236c1
IVDF version:6.39.01.57 - Wednesday, August 29, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Downloader-BFC
   •  Kaspersky: Trojan.Win32.Agent.bck
   •  F-Secure: Trojan.Win32.Agent.bck
   •  Sophos: Troj/Bckdr-QJL
   •  Panda: Trj/Downloader.OZB
   •  Eset: Win32/Agent.BCK


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Registry modification
   • Third party control

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService]
   • Type = 10
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %malware execution directory%\%executed file% /service
   • DisplayName = DomainService
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = DomainService

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService\Enum]
   • 0 = Root\LEGACY_DOMAINSERVICE\0000
   • Count = 1
   • NextInstance = 1



The value of the following registry key is removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • DDC



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %malware execution directory%\%executed file% =
      %malware execution directory%\%executed file%:*



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\DomainService]


The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • SFCDisable = 0
   New value:
   • SFCDisable = 4

 Backdoor Contact server:
All of the following:
   • http://23.244.141.185/**********/install.php
   • http://23.244.141.185/**********/heartbeat.php
   • http://23.244.141.185/**********/domains.php

As a result it may send information and remote control could be provided.

Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file
    • Visit a website

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Wednesday, October 10, 2007
Description updated by Andrei Gherman on Wednesday, October 10, 2007

Back . . . .