Full description

Virus:	TR/Refroso.4295685
Date discovered:	07/04/2011
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	429.568 Bytes
MD5 checksum:	45bf31069aa64c6054052e39bdf983fa
VDF version:	7.11.05.220 - Thursday, April 7, 2011
IVDF version:	7.11.05.220 - Thursday, April 7, 2011

General Methods of propagation:
   • Autorun feature
   • Peer to Peer

Aliases:
   • Kaspersky: Worm.Win32.AutoRun.hso
   • F-Secure: Worm.Win32.AutoRun.hso
   • Bitdefender: Gen:Variant.Refroso.5
   • GData: Gen:Variant.Refroso.5
   • DrWeb: Trojan.DownLoader2.29164

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

Files It copies itself to the following locations:
   • %HOME%\Application Data\update.exe
   • %drive%\update.exe

The following files are created:

– %drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %HOME%\Application Data\data.dat

It tries to execute the following files:

– Filename:
   • cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

– Filename:
   • cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%executed file%" /t REG_SZ /d "%executed file%:*:Enabled:Windows Messanger" /f

– Filename:
   • cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%HOME%\Application Data\update.exe" /t REG_SZ /d "%HOME%\Application Data\update.exe":*:Enabled:Windows Messanger" /f

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "WinDefend"="%HOME%\Application Data\update.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WinDefend"="%HOME%\Application Data\update.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   run]
   • "WinDefend"="%HOME%\Application Data\update.exe"

It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "DoNotAllowExceptions"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%HOME%\Application Data\update.exe"="%HOME%\Application Data\update.exe:*:Enabled:Windows Messanger"
   • "%executed file%"="%executed file%:*:Enabled:Windows Messanger"

The following registry keys are added:

– [HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
   • "D7JI99UHS9"="%current date%"

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {C0FCFCEB-CD91-8FAA-AFAD-4DED88DEDA79}]
   • "StubPath"="%HOME%\Application Data\update.exe"

– [HKCU\Software\VB and VBA Program Settings\SrvID\ID]
   • "D7JI99UHS9"="ircbot"

– [HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {C0FCFCEB-CD91-8FAA-AFAD-4DED88DEDA79}]
   • "StubPath"="%HOME%\Application Data\update.exe"

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It retrieves shared folders by querying the following registry keys:
   • Software\Kazaa\LocalContent
   • Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

Backdoor Contact server:
The following:
• captainowns.no-**********.org:3000 (TCP)

Stealing It tries to steal the following information:

– Passwords from the following programs:
   • Internet Explorer
   • Mozilla Firefox
   • Valve Steam

– A logging routine is started after a website is visited:
   • https://onlineeast.bankofamerica.com

Injection – It injects a backdoor routine into a process.

Process name:
• explorer.exe

Miscellaneous Accesses internet resources:
   • http://api.ipinfodb.com/v2/**********?key

Mutex:
It creates the following Mutexes:
   • D7JI99UHS9
   • D7JI99UHS9_pers

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, June 15, 2011
Description updated by Petre Galan on Wednesday, June 15, 2011

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools