Virus:TR/Dldr.Paint.A
Date discovered:21/07/2010
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:115.200 Bytes
MD5 checksum:1e24088a0Bfe7a3966ffe0650F7b5b22
IVDF version:7.10.09.146 - Wednesday, July 21, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Jorik.IRCbot.ck
   •  TrendMicro: WORM_PALEVO.ARL
   •  Sophos: Mal/Rimecud-D
   •  Bitdefender: Trojan.IRCBot.ZN
   •  Eset: IRC/SdBot
   •  AhnLab: Backdoor/Win32.IRCBot
   •  Ikarus: Trojan.Win32.Jorik


Platforms / OS:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Lowers security settings
   • Downloads malicious files
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\jusched.exe



The following files are created:

%WINDIR%\wintybrdf.jpg
%WINDIR%\wintybrd.png
%WINDIR%\mdll.dl



It tries to download a file:

– The location is the following:
   • http://91.21**********fGRvd25sb2FkfA==18k.gif
It is saved on the local hard drive under: %TEMPDIR%\6.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.abo


– The location is the following:
   • http://91.21**********fGRvd25sb2FkfA==18k.gif
It is saved on the local hard drive under: %TEMPDIR%\8.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.abo

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="c:\windows\\jusched.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="c:\windows\\jusched.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "c:\\xxx\\tr.exe"="c:\windows\\jusched.exe:*:Enabled:Java developer
      Script Browse"



The following registry keys are added:

– [HKLM\SYSTEM\ControlSet001\Control\Print\Printers\
   Microsoft XPS Document Writer]
   • "ChangeID"=dword:0014fe15
   • "Status"=dword:00000080
   • "Name"="Microsoft XPS Document Writer"
   • "Share Name"=""
   • "Print Processor"="WinPrint"
   • "Datatype"="RAW"
   • "Parameters"=""
   • "Action"=dword:00000000
   • "ObjectGUID"=""
   • "DsKeyUpdate"=dword:00000000
   • "DsKeyUpdateForeground"=dword:00000003
   • "Description"=""
   • "Printer Driver"="Microsoft XPS Document Writer"
   • "Default DevMode"=hex:%hex values%
   • "Priority"=dword:00000001
   • "Default Priority"=dword:00000001
   • "StartTime"=dword:00000000
   • "UntilTime"=dword:00000000
   • "Separator File"=""
   • "Location"=""
   • "Attributes"=dword:00000040
   • "txTimeout"=dword:0000afc8
   • "dnsTimeout"=dword:00003a98
   • "Security"=hex:%hex values%
   • "SpoolDirectory"=""
   • "Port"="XPSPort:"

– [HKLM\SYSTEM\ControlSet001\Control\Print\Printers\
   Microsoft XPS Document Writer\DsDriver]
   • "printBinNames"=hex(7):%hex values%
   • "printCollate"=hex:00
   • "printColor"=hex:01
   • "printDuplexSupported"=hex:00
   • "printStaplingSupported"=hex:00
   • "printMaxXExtent"=dword:000021bc
   • "printMaxYExtent"=dword:00002ba8
   • "printMinXExtent"=dword:00000384
   • "printMinYExtent"=dword:00000384
   • "printMediaSupported"=hex(7):%hex values%
   • "printMediaReady"=hex(7):%hex values%
   • "printNumberUp"=dword:00000000
   • "printOrientationsSupported"=hex(7):%hex values%
   • "printMaxResolutionSupported"=dword:00000258
   • "printLanguage"=hex(7):00,00
   • "printRateUnit"=""
   • "driverVersion"=dword:00000401

– [HKLM\SYSTEM\ControlSet001\Control\Print\Printers\
   Microsoft XPS Document Writer\DsSpooler]
   • "description"=""
   • "driverName"="Microsoft XPS Document Writer"
   • "location"=""
   • "portName"=hex(7):58,00,50,00,53,00,50,00,6f,00,72,00,74,00,3a,00,00,00,00,00
   • "printStartTime"=dword:00000000
   • "printEndTime"=dword:00000000
   • "printerName"="Microsoft XPS Document Writer"
   • "printKeepPrintedJobs"=hex:00
   • "printSeparatorFile"=""
   • "printShareName"=""
   • "printSpooling"="PrintWhileSpooling"
   • "priority"=dword:00000001
   • "uNCName"="\\\\hbxpeng\\Microsoft XPS Document Writer"
   • "versionNumber"=dword:00000004
   • "serverName"="hbxpeng"
   • "shortServerName"="HBXPENG"
   • "flags"=dword:00000000

– [HKLM\SYSTEM\ControlSet001\Control\Print\Printers\
   Microsoft XPS Document Writer\PrinterDriverData]
   • "InitDriverVersion"=dword:00000600
   • "Model"="Microsoft XPS Document Writer"
   • "PrinterDataSize"=dword:00000230
   • "PrinterData"=hex:´%hex values%
   • "FeatureKeywordSize"=dword:00000002
   • "FeatureKeyword"=hex:00,00
   • "Forms?"=dword:72f6d2ca

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPOOLER\0000\Control]
   • "ActiveService"="Spooler"

– [HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\
   featurecontrol\FEATURE_BROWSER_EMULATION]
   • "svchost.exe"=dword:000022b8

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
   Internet Settings]
   • "maxhttpredirects"=dword:000022b8
   • "enablehttp1_1"=dword:00000001

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\
   Extensions\CmdMapping]
   • "NextId"=dword:00002003
   • "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"=dword:00002002

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\
   international]
   • "acceptlanguage"="en-gb"

 Injection – It injects itself into processes.

    All of the following processes:
   • spoolsv.exe
   • services.exe
   • iexplore.exe
   • explorer.exe


Description inserted by Patrick Schoenherr on Wednesday, July 21, 2010
Description updated by Patrick Schoenherr on Wednesday, July 21, 2010

Back . . . .