Full description

Virus:	TR/Kazy.24732.12
Date discovered:	30/05/2011
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	185.856 Bytes
MD5 checksum:	137d614bcab51797b4be6b6cac0016b6
IVDF version:	7.11.08.168 - Monday, May 30, 2011

General Aliases:
   • Bitdefender: Trojan.Downloader.JOID
   • GData: Trojan.Downloader.JOID

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

Files It copies itself to the following location:
   • %HOME%\Application Data\dwm.exe

It deletes the following files:
   • %TEMPDIR%\4.exe
   • %TEMPDIR%\5.exe

The following files are created:

– %TEMPDIR%\4.exe
– %TEMPDIR%\csrss.exe
– %HOME%\Application Data\01E2.543
– %HOME%\Application Data\Microsoft\conhost.exe
– %TEMPDIR%\5.exe

It tries to download a file:

– The locations are the following:
   • http://separatemilkandtee.com/blog/images/**********?v37=%number%&tq=%character string%
   • http://highspeeddbsearch.com/blog/images/**********?v46=%number%&tq=%character string%

It tries to execute the following files:

– Filename:
   • %TEMPDIR%\4.exe check

– Filename:
   • %HOME%\Application Data\Microsoft\conhost.exe

– Filename:
   • %TEMPDIR%\5.exe check

– Filename:
   • %TEMPDIR%\csrss.exe

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="explorer.exe,%HOME%\Application Data\dwm.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conhost"="%HOME%\Application Data\Microsoft\conhost.exe"

The following registry key is changed:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "Load"="%TEMPDIR%\csrss.exe"

Miscellaneous Checks for an internet connection by contacting the following web site:
   • http://www.google.com
Accesses internet resources:
   • http://healthylifenow.com/templates/7349/images/**********?v78=%number%&tq=%character string%
   • http://zonedg.com/**********?tq=%character string%
   • http://gravatar.com/**********?gravatar_id=%character string%&tq=%character string%
   • http://nationsautoelectric.com/images/**********?v44=%number%&tq=%character string%
   • http://xprstats.com/images/**********?tq=%character string%
   • http://freetopmusiconline.com/blog/images/**********?v67=%number%&tq=%character string%
   • http://freetopmusiconline.com/blog/images/**********?v55=%number%&tq=%character string%
   • http://freetopmusiconline.com/blog/images/**********?v67=%number%&tq=%character string%

Mutex:
It creates the following Mutexes:
   • {1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
   • CH5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
   • {4D92BB9F-9A66-458f-ACA4-66172A7016D4}
   • {45BCA615-C82A-4152-8857-BCC626AE4C8D}
   • {B5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B37C48AF-B05C-4520-8B38-2FE181D5DC78}
   • {35BCA615-C82A-4152-8857-BCC626AE4C8D}
   • {0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
   • {A5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {5D92BB9F-9A66-458f-ACA4-66172A7016D4}
   • {61B98B86-5F44-42b3-BCA1-33904B067B81}
   • CHD92BB9F-9A66-458f-ACA4-66172A7016D4}

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

설명 삽입자 Petre Galan 2011년 6월 30일 목요일
설명 업데이트 Petre Galan 2011년 6월 30일 목요일

뒤로 . . . .

내 계정