Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Injector.etcf
Date discovered:26/04/2012
Type:Trojan
Subtype:Dropper
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:61.440 Bytes
MD5 checksum:dd8c3d5370438068e8ff61391d801e7b
VDF version:7.11.28.178 - Thursday, April 26, 2012
IVDF version:7.11.28.178 - Thursday, April 26, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Injector.etcf
   •  Sophos: Troj/Bredo-WL
   •  Bitdefender: Trojan.Generic.KDV.608405
   •  Microsoft: Trojan:Win32/Matsnu
   •  Eset: a variant of Win32/Injector.QQN trojan
   •  GData: Trojan.Generic.KDV.608405


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %APPDATA%\Bsnoijhcbqe\E58BA09AD8812EB1728E.exe
   • %TEMP%\%10 digit random character string% .pre
   • %SYSDIR%\7B128C17D8812EB16B33.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%TEMP%\%10 digit random character string% .pre;"

 Injection – It injects itself into a process.

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • http://**********-a.com/**********.php?id=**********564549&cmd=img
   • http://**********-a.com/**********.php?id=**********564549&cmd=lfk&data=**********k0wIYg6TtL2zhzZ
   • http://**********-a.com/**********.php?id=**********564549&stat=0


Event handler:
It creates the following Event handlers:
   • CreateService
   • StartService
   • CreateRemoteThread
   • HttpOpenRequest
   • FtpOpenFile
   • InternetOpenUrl
   • InternetOpen
   • GetDriveType
   • CreateFile
   • CreateToolhelp32Snapshot
   • ShellExecute

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Wensin Lee on Friday, April 27, 2012
Description updated by Wensin Lee on Friday, April 27, 2012

Back . . . .