Virus:TR/Fotomoto.F.1
Date discovered:07/11/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:71.232 Bytes
MD5 checksum:d724dfe9790E373d1b92b3a35c1d0E49
IVDF version:7.00.00.182 - Wednesday, November 7, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Vundo.dr trojan
   •  Kaspersky: Trojan.Win32.Obfuscated.kp
   •  F-Secure: Trojan.Win32.Obfuscated.kp
   •  Panda: Spyware/Virtumonde
   •  Grisoft: Obfustat.VUL
   •  Eset: Win32/Adware.Ezula application


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Registry modification
   • Third party control

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%malware execution directory%\%executed file% \service"
   • "DisplayName"="DomainService"
   • "ObjectName"="LocalSystem"
   • "FailureActions"= %hex values%
   • "Description"="DomainService"



The value of the following registry key is removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • DDC



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\\%executed
      file%"="%malware execution directory%\\%executed
      file%:"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\DomainService]


The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "SFCDisable" = 0
   New value:
   • "SFCDisable" = 4

 Backdoor Contact server:
All of the following:
   • http://24.244.141.185/**********/install.php
   • http://24.244.141.185/**********/heartbeat.php



Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file
    • Visit a website

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPolyX v0.5

Description inserted by Thomas Wegele on Friday, December 7, 2007
Description updated by Thomas Wegele on Friday, December 7, 2007

Back . . . .