Trojan.DownLoader11.30925

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Firewall.cpl] 'Debugger' = 'wuauc'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'wuauc'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '*' = '"%ALLUSERSPROFILE%\WinMngr\svchost.exe"'

Changes the following executable system files:

<SYSTEM32>\mmc.exe.3huX6
<SYSTEM32>\Firewall.cpl.1qer99

Substitutes the following executable system files:

<SYSTEM32>\mmc.exe.B0718HIps with <SYSTEM32>\mmc.exe.B0718HIps
<SYSTEM32>\Firewall.cpl.172L43Mi with <SYSTEM32>\Firewall.cpl.172L43Mi

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

Creates and executes the following:

'%ALLUSERSPROFILE%\WinMngr\procmon.exe'

Executes the following:

'<SYSTEM32>\netsh.exe' firewall set opmode mode=disable profile=all
'<SYSTEM32>\sc.exe' config SharedAccess start= disabled

Modifies file system :

Creates the following files:

C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\rp.log
<SYSTEM32>\mmc.exe.39O8o02
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\RestorePointSize
<SYSTEM32>\firewall.cpl:Zone.Identifier
<SYSTEM32>\mmc.exe:Zone.Identifier
<SYSTEM32>\Firewall.cpl.6XTKAoj00
<SYSTEM32>\mmc.exe.new
%ALLUSERSPROFILE%\WinMngr\procmon.exe
<SYSTEM32>\firewall.cpl.new
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\fifo.log
<SYSTEM32>\mmc.exe.p13gZN12H

Sets the 'hidden' attribute to the following files:

%ALLUSERSPROFILE%\WinMngr\procmon.exe

Deletes the following files:

<SYSTEM32>\CWAxTSMzOZNsdpvBFcRRfqQMp
<SYSTEM32>\mmc.exe:Zone.Identifier
<SYSTEM32>\pVUiVNqJhvWxeIbNWNbx
<SYSTEM32>\lbKJPSBIXOWDHXJCsfYIn
<SYSTEM32>\wELwCKpJFWCXpal
<SYSTEM32>\WcIrQvEvuwSCnpGzl

Moves the following system files:

from <SYSTEM32>\uekJKibocoCZxF to <SYSTEM32>\IgXAFZVQRdzIMyBVc
from <SYSTEM32>\IgXAFZVQRdzIMyBVc to <SYSTEM32>\EoJwQrrPPLQpBDa
from <SYSTEM32>\EoJwQrrPPLQpBDa to <SYSTEM32>\oJnoBgtOdOyDnIHti
from <SYSTEM32>\nbYOSPCRQwHlk to <SYSTEM32>\uekJKibocoCZxF
from <SYSTEM32>\mmc.exe.3huX6 to <SYSTEM32>\GKZxdRmNmGhfUIMlA
from <SYSTEM32>\GKZxdRmNmGhfUIMlA to <SYSTEM32>\wiuSkPmHCMzFP
from <SYSTEM32>\wiuSkPmHCMzFP to <SYSTEM32>\nbYOSPCRQwHlk
from <SYSTEM32>\bqZcgqpFTbTfGZ@K to <SYSTEM32>\OmpTBLldhQWkRj
from <SYSTEM32>\OmpTBLldhQWkRj to <SYSTEM32>\lONukvmQbZUeU
from <SYSTEM32>\lONukvmQbZUeU to <SYSTEM32>\wELwCKpJFWCXpal
from <SYSTEM32>\xaXsKANeflQLX to <SYSTEM32>\bqZcgqpFTbTfGZ@K
from <SYSTEM32>\oJnoBgtOdOyDnIHti to <SYSTEM32>\NavrTerVaAmsElOTT
from <SYSTEM32>\NavrTerVaAmsElOTT to <SYSTEM32>\JqZKLoAbyZEZfXv
from <SYSTEM32>\JqZKLoAbyZEZfXv to <SYSTEM32>\xaXsKANeflQLX
from <SYSTEM32>\mmc.exe to <SYSTEM32>\mmc.exe.3huX6
from <SYSTEM32>\DfNdAGRMRbxpnc@aDlGcUL to <SYSTEM32>\nEgdRtuGtOJKxNpeyjsjnR
from <SYSTEM32>\nEgdRtuGtOJKxNpeyjsjnR to <SYSTEM32>\OgXgqvMnWEqWllGFqiuZYU
from <SYSTEM32>\OgXgqvMnWEqWllGFqiuZYU to <SYSTEM32>\ylOswysiMXffiDxlfqMauXl
from <SYSTEM32>\GeOBWNkkxFAAucIiLgnI to <SYSTEM32>\DfNdAGRMRbxpnc@aDlGcUL
from <SYSTEM32>\firewall.cpl to <SYSTEM32>\Firewall.cpl.1qer99
from <SYSTEM32>\Firewall.cpl.1qer99 to <SYSTEM32>\EXESKYYmHfabsCHHlGMR
from <SYSTEM32>\EXESKYYmHfabsCHHlGMR to <SYSTEM32>\GeOBWNkkxFAAucIiLgnI
from <SYSTEM32>\EOSQpKszzmIoVWLNYOSX to <SYSTEM32>\uBQtxtqJuoaUEzpVZUxPrQ
from <SYSTEM32>\uBQtxtqJuoaUEzpVZUxPrQ to <SYSTEM32>\ShmYxflqCqPxEUcZVUQDdB
from <SYSTEM32>\ShmYxflqCqPxEUcZVUQDdB to <SYSTEM32>\lbKJPSBIXOWDHXJCsfYIn
from <SYSTEM32>\CoqxCBCobnTJzLwoogOb to <SYSTEM32>\EOSQpKszzmIoVWLNYOSX
from <SYSTEM32>\ylOswysiMXffiDxlfqMauXl to <SYSTEM32>\tKJfpbpxKiasqnEaNPLgWh
from <SYSTEM32>\tKJfpbpxKiasqnEaNPLgWh to <SYSTEM32>\HnPpDaRoOPGsiXkhnPlWk
from <SYSTEM32>\HnPpDaRoOPGsiXkhnPlWk to <SYSTEM32>\CoqxCBCobnTJzLwoogOb

Moves the following files:

from <SYSTEM32>\ElasBLwnTygySVtRxpiNrfXB to <SYSTEM32>\YkUtnQLVzUUJUMyFVTlpyjqE
from <SYSTEM32>\EMpQeuYsYEXhaaEChsXfO to <SYSTEM32>\MFyKzxeaUjPmgECMgSscQ
from <SYSTEM32>\MFyKzxeaUjPmgECMgSscQ to <SYSTEM32>\IINEQISCKxgXHCLwVrRMS
from <SYSTEM32>\IINEQISCKxgXHCLwVrRMS to <SYSTEM32>\YXzVtTYQWSTMNbTiBnOLi
from <SYSTEM32>\YkUtnQLVzUUJUMyFVTlpyjqE to <SYSTEM32>\oxWpTKqMvmYZM@kMQfnXeRfRZ
from <SYSTEM32>\xhVfoPSVIVReyeOpvSbSJe to <SYSTEM32>\ElasBLwnTygySVtRxpiNrfXB
from <SYSTEM32>\mlIodJvSjRDwcIulJcAGPoBgl to <SYSTEM32>\funevNUApLsbxZKw`vMPEiAx
from <SYSTEM32>\PASovEKIbN@uIkoLwD to <SYSTEM32>\wmcnAKpnLKiOiXSGMXyH
from <SYSTEM32>\wmcnAKpnLKiOiXSGMXyH to <SYSTEM32>\AhkqEEsphBmDRhBNkprr
from <SYSTEM32>\AhkqEEsphBmDRhBNkprr to <SYSTEM32>\EMpQeuYsYEXhaaEChsXfO
from <SYSTEM32>\funevNUApLsbxZKw`vMPEiAx to <SYSTEM32>\xhVfoPSVIVReyeOpvSbSJe
from <SYSTEM32>\oxWpTKqMvmYZM@kMQfnXeRfRZ to <SYSTEM32>\gMaNymZbdUJbjATqvgpeyXn
from <SYSTEM32>\KOjbiXikmDhleiQMNjoJG to <SYSTEM32>\xyVrNncMozRRsFYBGwo
from <SYSTEM32>\QgYrsuxeiLwckYDBXqeII to <SYSTEM32>\KOjbiXikmDhleiQMNjoJG
from <SYSTEM32>\xyVrNncMozRRsFYBGwo to <SYSTEM32>\MlFzoUKJRpNSiNdfcGbS
from <SYSTEM32>\DvkHcmytZMGraqgdRmuG to <SYSTEM32>\pVUiVNqJhvWxeIbNWNbx
from <SYSTEM32>\MlFzoUKJRpNSiNdfcGbS to <SYSTEM32>\DvkHcmytZMGraqgdRmuG
from <SYSTEM32>\kteQGCQSyttyncgWV to <SYSTEM32>\QgYrsuxeiLwckYDBXqeII
from <SYSTEM32>\gMaNymZbdUJbjATqvgpeyXn to <SYSTEM32>\vZMscoYSIlDSXpSyBtupLHfy
from <SYSTEM32>\YXzVtTYQWSTMNbTiBnOLi to <SYSTEM32>\lCBTnPbpBoIpyMyIE
from <SYSTEM32>\lCBTnPbpBoIpyMyIE to <SYSTEM32>\jzTdDaOatqvhTIegUjRP
from <SYSTEM32>\vZMscoYSIlDSXpSyBtupLHfy to <SYSTEM32>\CWAxTSMzOZNsdpvBFcRRfqQMp
from <SYSTEM32>\jzTdDaOatqvhTIegUjRP to <SYSTEM32>\kteQGCQSyttyncgWV
from <SYSTEM32>\CRfrGXDJRFKlVYEdpJCcSJmq to <SYSTEM32>\mlIodJvSjRDwcIulJcAGPoBgl
from <SYSTEM32>\yJKPqElMmhjTqGEJH to <SYSTEM32>\iQNYFVbqxMsKRqT
from <SYSTEM32>\UvvBvyzTcSwxRPg to <SYSTEM32>\yJKPqElMmhjTqGEJH
from <SYSTEM32>\iQNYFVbqxMsKRqT to <SYSTEM32>\IxbrjMblkwIhCoeY
from <SYSTEM32>\VxzMnByvsqcziOQxMg to <SYSTEM32>\yBRNiGBjUuljpvVQtV
from <SYSTEM32>\IxbrjMblkwIhCoeY to <SYSTEM32>\VxzMnByvsqcziOQxMg
from <SYSTEM32>\TEdKEJUzuxrXvlluzd to <SYSTEM32>\UvvBvyzTcSwxRPg
from <SYSTEM32>\hgwaaeGivDdIXCiVi to <SYSTEM32>\AOEFGuewLilpfui
from <SYSTEM32>\mmc.exe.39O8o02 to <SYSTEM32>\hgwaaeGivDdIXCiVi
from <SYSTEM32>\AOEFGuewLilpfui to <SYSTEM32>\AGDQsZmUtPhGtXTiX
from <SYSTEM32>\tSTCzfnYsONtYZH to <SYSTEM32>\TEdKEJUzuxrXvlluzd
from <SYSTEM32>\AGDQsZmUtPhGtXTiX to <SYSTEM32>\tSTCzfnYsONtYZH
from <SYSTEM32>\yBRNiGBjUuljpvVQtV to <SYSTEM32>\LkXDQPRThWOBMBi
from <SYSTEM32>\vOtTfuATMvMwktLkz to <SYSTEM32>\WcIrQvEvuwSCnpGzl
from <SYSTEM32>\mmc.exe.p13gZN12H to <SYSTEM32>\ZtmnzMhRdmkPSSiPfbz
from <SYSTEM32>\zvvYtumYHbHdSHLGIxgPBolcyj to <SYSTEM32>\CRfrGXDJRFKlVYEdpJCcSJmq
from <SYSTEM32>\vpGgCdyrpOwCxYBjUimj to <SYSTEM32>\PASovEKIbN@uIkoLwD
from <SYSTEM32>\ZtmnzMhRdmkPSSiPfbz to <SYSTEM32>\vpGgCdyrpOwCxYBjUimj
from <SYSTEM32>\OpSRzanehzhtusoUDMu to <SYSTEM32>\vOtTfuATMvMwktLkz
from <SYSTEM32>\LkXDQPRThWOBMBi to <SYSTEM32>\JOKRhVrRsgqryQJqn
from <SYSTEM32>\Firewall.cpl.6XTKAoj00 to <SYSTEM32>\hbAuPeEVeQfCCjBCJCnxeXzdh
from <SYSTEM32>\JOKRhVrRsgqryQJqn to <SYSTEM32>\KCgdpRwlHTrrlKOw
from <SYSTEM32>\hbAuPeEVeQfCCjBCJCnxeXzdh to <SYSTEM32>\zvvYtumYHbHdSHLGIxgPBolcyj
from <SYSTEM32>\KCgdpRwlHTrrlKOw to <SYSTEM32>\OpSRzanehzhtusoUDMu

Moves itself:

from <Full path to virus> to %ALLUSERSPROFILE%\WinMngr\svchost.exe

Network activity:

Connects to:

'so##c4us.in':80

TCP:

HTTP POST requests:

so##c4us.in/l/page.php

UDP:

DNS ASK so##c4us.in

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial