TR/Fotomoto.E - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Fotomoto.E
Date discovered:	29/08/2007
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	75.284 Bytes
MD5 checksum:	1ffd1d03db9b66987c6875f5981236c1
IVDF version:	6.39.01.57

General Method of propagation:
   • No own spreading routine

Aliases:
   • Mcafee: Downloader-BFC
   • Kaspersky: Trojan.Win32.Agent.bck
   • F-Secure: Trojan.Win32.Agent.bck
   • Sophos: Troj/Bckdr-QJL
   • Panda: Trj/Downloader.OZB
   • Eset: Win32/Agent.BCK

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Lowers security settings
   • Registry modification
   • Third party control

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService]
   • Type = 10
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %malware execution directory%\%executed file% /service
   • DisplayName = DomainService
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = DomainService

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\DomainService\Enum]
   • 0 = Root\LEGACY_DOMAINSERVICE\0000
   • Count = 1
   • NextInstance = 1

The value of the following registry key is removed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • DDC

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %malware execution directory%\%executed file% =
      %malware execution directory%\%executed file%:*

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\DomainService]

The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • SFCDisable = 0
   New value:
   • SFCDisable = 4

Backdoor Contact server:
All of the following:
   • http://23.244.141.185/**********/install.php
   • http://23.244.141.185/**********/heartbeat.php
   • http://23.244.141.185/**********/domains.php

As a result it may send information and remote control could be provided.

Sends information about:
    • Current malware status

Remote control capabilities:
    • Download file
    • Visit a website

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andrei Gherman on Wed, 10 Oct 2007 09:57 (GMT+1)
Description updated by Andrei Gherman on Wed, 10 Oct 2007 10:18 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back