This article contains descriptions of 11 -T class Trojans "Trojan downloader", referred me to a group of Trojan-Downloader.LittleTroy . Despite the fact that they are all written in different programming languages and, obviously, created by different authors, they all share the following things in common: - they have a relatively small size; - is the "single" action (to implement its program, and then complete their work) - do not make (most of them) in the registry of any keys for the possibility of their reactivation after restarting Windows. How to enter data into the user's computer Trojans can be different. The main sources are the Internet resources and a pornographic nature krekosoftovogo as where the probability of catching "venereal disease" to your computer under the guise of "useful" program or through vulnerabilities in the script-protect a web browser (see the description of the Trojan family of Trojan-Downloader.Dyfuca ) is much higher than any official resources. Also, representatives of the Trojan team can be installed into the system by malicious programs, etc., who fell some time ago in computer neosmtritelnogo user. I want to say at once that the description of each modification is made on the basis of the studied my code, the need to conduct additional experiments to test the car, In my opinion, no. "default" in the text of the description, the following things: - the name of the system directory - "WINDOWS"; - most of the Trojans of functioning in a variety of Windows, including Windows 2K/XP; if any Trojan only works on certain versions of Windows, then the latter will also be listed in the description of the representative " LittleTroy "; - the symbol "%" in the text are indicated the fragments, which are non-permanent value, and any variables that depend on any condition, in Internet links, which cause the Trojans to download other malware, the same icon I will replace parts of addresses is done in order to secure the presentation of information on actions " LittleTroy "; - data on the detection of Trojan horses "LittleTroy "given on the date of the last changes made to the text of the description.
Written some other malware to the system directory as WINDOWS \ loader.exe This file is 5632 bytes (no tools are not processed). Self-Trojan can be activated at system startup, as does not contain a procedure code in its sodaniya any start-up the appropriate keys. Thus, it can be activated at boot only if it establishes other malware pre-create the registry key autorun file loader.exe or she will run the last to perform. After its launch the Trojan remains resident in memory until before shutdown. At regular intervals, checks for connectivity and availability of 8081-TCP-Port. If both these conditions are met, the Trojan connects to the Web-resource http://217. .66.1/del% / , where is trying to look for files with the following text to the names:dia exe cmb_ If you notice any of these files, the Trojan downloads it on the affected computer and installs the system directory under the name WINDOWS \ comload.dll , and then executes it. Later DLL-file function independently. Since the experiments with the Trojan on a test machine and the file has not beencomload.dll not downloaded from the Internet, its contents are unknown to me (probably is some kind of Trojan horse, etc.). During the search files at the above Web-resource Trojan communicates with technical information in the form of the following messages: Accessing ... ... Initializing Accessing Accessing Requesting ... 00% ... Accessing Completed LDR Accesing Please wait ... The Requested file does Not exist. Please check with your provider and try Service again Trojan file loader.exe antivirus detected as: Kaspersky Kaspersky Professional : Generic.Malware.dld!! .5599 A2E1
Distributed under the title osa.gif among other components of the design Web pages. Extension "GIF", typical of files of pictures, intentionally set the Trojan file that does not give his real presence among the pictures, banners - the components stored in the machine HTML-pages.
Trojan file is a Win32-application (PE EXE-file) about the size of from 2050 to 20 200 bytes , depending on the number of zero bytes in its tail section. To the Trojan has been launched for execution, the code is loaded HTML-pages should be present malicious script that contains the replacement procedure in the file extension Trojan "GIF" on "EXE" and then run the renamed file to run. Without such a script in the page body osa.gif not pose any threat.
Trojan osa.gif ( Osa.exe ?) is a program of single-use, intended only for the secretive download and install on the infected computer, etc. Trojan then osa.exe ends its work and is not more than trash the file.
When it launched, the Trojan checks for the machine to connect to the Internet and in the event that the connection is active, then secretly connected with the page http://abyronexperience.com/% / 1. PHP , which is trying to download on the affected computer one EXE-file. The Trojan then installs this file in a subdirectory it creates a randomly named subfolder in the system, assigning a random file name "%" (here the variable% has any particular meaning): WINDOWS \ [subdirectory with a random name] \%. exe Once installed and start of the file for execution, the Trojan creates a unique identifier system memory of a new Trojan process " %. exe ". This identifier is called fds5644ghhopen and contains information about the location of the file system directory %. exe and its activity. The need to create this "tag" in the system memory is due, obviously, the fact that the name of the subdirectory location of the file are assigned randomly by the Trojan and the presence of an identifier can avoid repeated downloads and installations on the machine the victim of the same Trojan, but in different subdirectories. trojan file osa.gif ( Osa.exe ?) anti-virus software detected as: Kaspersky Kaspersky Professional : Generic.Malware.dld!!. B158991E
This Trojan is functional tolo under OS Windows 2K/XP. Downloaded from the Internet network and installed into the system some other malware.
Trojan file has a size of 3616 bytes (compressed compression utility "UPX" version 1.24, in the form of uncompressed size is 5664 bytes) and stored in the Windows system directory as WINDOWS \ ms1.exeOnce launched, the Trojan is still resident in memory until the completion of Windows. While working on the Internet tries to connect to the following sites: http://evker.com/% / myurl.txt http://evker.com/% / 7.phpFrom the first of these sites the Trojan downloads on the affected computer, which a DLL-and EXE-files that installs it creates a subdirectory in the system directory: WINDOWS \ SYS \%. dll WINDOWS \ SYS \%. exenames of DLL-and EXE-files in the form of Trojan sets of random combinations of numbers and letters, and registration of these files to be able to startup every time the system performs with a standard registration command in stealth mode "regsvr32 / s". For the second site to the Trojan downloads and installs in the system subdirectory "\ System32 \" Trojan file WINDOWS \ System32 \ init32m . exe This file is the Trojan registers as a component of the system process "Explorer.exe", supports the graphical kernel Windows 2K/XP. For a given file is registered init32m.exe and opportunities of the last startup every time the system is the Trojan modifies the original meaning of " Shell "registry key [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] "Shell" = "Explorer.exe" to " Shell "=" Explorer.exe C: \ \ WINDOWS \ \ System32 \ \ init32m.exe " It should be noted that a similar method to start the Trojan used in 2002 in malware Backdoor.Chernovtsy.2002 , but only for activation of its latent under Windows 9X/ME. Report downloads the Trojan file from the Internet keeps them created the fileWINDOWS \ System32 \ $$$_. log file Trojan ms1.exe antivirus detected as: Kaspersky KasperskyProfessional : Generic.Malware.dld!! .9 E3BE8BE
This Trojan is downloaded from the Internet and installed on the affected computer Trojan Trojan-Downloader.ISTbar.MegaLoader , which originally launched for execution.
trojan file size is 3584 bytes (compressed compression utility "UPX" version 1.24, in uncompressed form in size 16,384 bytes) and is written to disk in the system directory as WINDOWS \ bridge.exe Once launched, the Trojan is still resident in memory until system shutdown. While working on the internet trying to connect to a page http://www.slotch.com/% /% / Golden / casprog.exe , which pumps to the affected machine and runs the appropriate file; loans to the link, the latter is Trojan family Trojan-Downloader.ISTbar . This Trojan installs a file system directory WINDOWS \ casprog.exe To this trojan file can be run independently to perform when you run the system, Trojan-Downloader.LittleTroy.16384-A creates the appropriate entries in the following sections, key adding to their content, some additional values. trojan file bridge.exe antivirus detected as: Kaspersky Kaspersky Professional : Trojan.Downloader.Golden.A
This Trojan is downloaded from the Internet and installed on the affected computer to some other Trojan, which originally launched for execution.
Functionality is almost identical to the above Trojan program Trojan-Downloader.LittleTroy.16384-A (file size, type and version of compress Utilities are completely analogous.) The difference is only in some details.
trojan file is written to disk in the system directory under the name WINDOWS \ searchbarcash.exe also different and a link that downloads a Trojan on the infected computer and executes other trojan file:http://www2.flingstone . com /% / mattie54.exe before downloading this file, the Trojan checks if there is already such a system directory C: \ WINDOWS \ mattie54.exe (precisely on these lines). In that case, if such a file is found, the Trojan terminates his employment (ie, terminates the process of memory "mattie54.exe ") and renames of" mattie54.exe "in" mattie54 ", then download from the Internet and installs them on its location above file. Then the Trojan-Downloader.LittleTroy.16384-B appends the key sections a new value called " mswspl ", and check back a file reference mattie54.exe , whereby the latter gains control at every system startup. trojan file searchbarcash.exe antivirus detected as: Kaspersky KasperskyProfessional : Trojan.DownLoader.Infa.A
This Trojan is downloaded from the Internet and installed on the affected computer to some other Trojan.Trojan file is written under the name s.exe in one of the following subdirectories system directory: for Windows 9X/ME: WINDOWS \ SYSTEM \ s.exe for Windows Server 2K/2K / XP: WINDOWS \ System32 \ s.exeTrojan file has a size of 6653 bytes and encrypted crypto-tool "YodaCrypt", the exact version of which I was not able to establish, in decrypted file size in the approximation of the original code was 5120 bytes. No keys for the possibility of his startup every time the system is the Trojan does not create, as executed by the same Trojan horse, etc., which established him in the car. Once launched, the Trojan is resident in system memory until you shut down Windows, and periodically checks for the infected computer availability in 1025 of the first or any subsequent port of the machine to attempt access to the Internet. If the network connection is active, the Trojan secretly connected at random to one of the following web page: http://69. .171.170/gallery/1/bc.php% http://69. .171.172/rest% / 1/bc.php with any of them on the affected computer boots up a file called lrtt.dat , which obviously is an updated plugin (component files), some other Trojan. If the download of this file is successful, the Trojan creates the same subdirectory, where it is located the file, reporting DLL-file with a random name, which writes the following overhead: OK = R = goman a Trojan files.exe antiviruses detect this: Anti-Virus Kaspersky AntiVirus : Trojan.Win32.Crypt.i (decrypted file - file - the same way) Antivirus BitDefender Professional : GenPack: Generic.Malware.dld!!. EEC4823C (decrypted file - as Generic.Malware.dld!!. B34D4B33 )
This Trojan is downloaded from the Internet and installed on the affected computer to some other Trojan. Its functionality is almost identical to the above program Trojan-Downloader.LittleTroy.6653-A (file size, type and version of the crypt utility, as well as location on the disk is completely analogous). The difference is only in some details.
trojan file is written under the name sys5451.exe . No keys for the possibility of his startup every time the system is the Trojan does not create, as executed by the same Trojan horse, etc., which established him in the car, after its launch is still resident in system memory up to shut down Windows. His actions in the availability of access to the Internet and are completely analogous version of the Trojan-Downloader.LittleTroy.6653-A , except that the Trojan secretly communicates with only one web page - the one that comes first in the list above for Trojan-Downloader.LittleTroy .6653-A , and loads it with a file called dabran.dat . Upon successful download of the Trojan creates a file report file, characterization, and the contents of which are completely identical to the above scenario.
trojan file sys5451.exe antivirus detected as: Kaspersky AntiVirus Kaspersky : Trojan.Win32.Crypt.i(decrypted file - file - the same way) Antivirus BitDefender Professional : GenPack: Generic.Malware.dld!! .83 FF7720 (decrypted file - as Generic.Malware.dld!! .5 F3B3EE5 )
This Trojan is downloaded from the Internet and installed on the affected computer to some other Trojan.
trojan file is written under the name s.exe in one of the following subdirectories system directory: for Windows 9X/ME: WINDOWS \ SYSTEM \ paytime.exe for Windows 2K/2K Server / XP: WINDOWS \ System32 \paytime.exe After writing to the disk and run the Trojan to execute functions independently. Trojan Trojan-Downloader.LittleTroy.paytime not treated with any utilities or kriptatsii compression and has a size of 3584 bytes . To enable a startup every time the system creates the following registry key: for Windows drive]: \ \ WINDOWS \ \ SYSTEM \ \ paytime.exe " for Windows 2K/2K drive]: \ \ WINDOWS \ \ System32 \ \ paytime.exe " To complicate the process of forced removal of the memory in case of detection, this Trojan creates a registry key twice, and thus, at the start of the process paytime.exe will be loaded in memory twice, too. The Trojan also modifies the registry key associated with the web browser settings, Internet Explorer, the following values: [HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Internet Explorer \ Main] "Local Page" = "http://195.%. 218.172/index.php " "Start values of the Trojan records in this key twice, too. The result of these changes will automatically call and loads http://195.% .218.172/index.phpwhen working with Internet Explorer. After loading of this page if the system has an active Trojan paytime.exeon the affected machine without the user will be automatically uploaded other malware. In making such changes in the Internet Explorer settings Trojan secretly associated with the following Trojan uploads them to the affected computer, installs the system subdirectory, which is its own file paytime.exe , and executes the following Trojan files: countrydial.exe - was not detected on the affected machine; newdial.exe - was not detected on the affected machine ; paydial.exe - was not detected on the affected machine; newdial1.exe - Trojan extracts from his body and sets on the affected computer several other Trojans (Trojan file compression utility compressed "UPX" version 1.25 and has a size of 62,464 bytes ; detail its code has not been studied);tibs.exe - Trojan downloads via the Internet and installed on the affected computer several other Trojans (Trojan file compression utility compressed "FSG" version 2.0 and has a size of 13,373 bytes , the code is not thoroughly studied ); tool2.exe - was not detected on the affected machine. All of these files after downloading run the Trojan to execute and then operate independently. To be able to automatically run the filetool2.exe Trojan Trojan-Downloader.LittleTroy.paytime creates an entry with a link to this file in the Registry Keys section
loaded them trojans antivirus detected as: Kaspersky Kaspersky
Primitive, but the infamous Trojan script size of 397 bytes written in Java Script. In the car goes the same way as the Trojan single program of action, ie when referring to it performs its malicious procedure, after which it exits. There are no keys in the registry does not create a Trojan. trojan script automatically triggered under all Windows OS to 2K/XP with Service Pack SP?, where it (the script) will be blocked starting system security (firewalls). Trojan malicious actions are as follows: he is trying to secretly get the car of one of the Trojan family "PdPinch" or "LdPinch", the downloaded file into a directory with Windows Media Player'om (if at the moment the program is disabled): C: \ Program Files \ Windows Media Player \ wmplayer.exe on a machine with Windows Media Player'om 8.0 (???) or above the original file wmplayer.exe will overwrite the above Trojan, which will automatically be executed when accessing the system to the player Windows Media Player. In this case, the launch of the Trojan wmplayer.exe will be possible only under the condition that the user's machine is installed Windows Media Player version 8.0 or higher, running on the system as a player "by default". On a machine with Windows Media Player'om version 8.0 (for example, Windows 98, 98 SE or ME with no installed updates) Trojan will also be recorded as wmplayer.exe , but will never be run automatically on system performance when accessing to the player since the last similar component calledmplayer2.exe and, of course, will not be overwritten Trojan horse. trojan script Trojan-Downloader.LittleTroy.js-397 anti-virus software detected as: Kaspersky Kaspersky Professional :Generic.XPL.ADODB.BC499C27
This Trojan is downloaded from the Internet and installed on the affected computer or a Trojan Trojan-Downloader.HackWeb.4577 , and then copy the Trojan Trojan-Downloader.LittleTroy.1665 saved to disk as files: for Windows 9X/ME: WINDOWS \ SYSTEM \ vxh8jkdq1.exe WINDOWS \ SYSTEM \vxh8jkdq8.exe [random drive]: \ Temp \ 1.qtdfmp for Windows Server 2K/2K / XP: WINDOWS \ System32 \vxh8jkdq1.exe WINDOWS \ System32 \ vxh8jkdq8.exe [random drive]: \ Temp \ 1.qtdfmp , after which the file vxh8jkdq1.exe executed and copies itself to the same subdirectory as the EXE-file with an uncertain name, or install a Trojan is a Trojan Trojan-Downloader.HackWeb.small-B , and then the Trojan -Downloader.LittleTroy.1665 saved to disk as a file: for Windows 9X/ME: WINDOWS \ SYSTEM \vxgame3.exe for Windows Server 2K/2K / XP: WINDOWS \ System32 \ vxgame3.exe File Trojan Trojan-Downloader.LittleTroy .1665 is the size of 1665 bytes and compressed compression utility "FSG" version 2.0, in the form of uncompressed file size in the approximation of the original was 32768 bytes. No keys for the possibility of his startup at the next boot of Windows Trojan in the registry does not create and can be run to perform only other malware. While working in the Internet the Trojan attempts to secretly communicate with one of the following pages and download from there the next Trojan file loadppc.exe is a multi-component Trojan -Trojan.Web guide.zolker011 . If successful boot file loadppc.exe Trojan communicates with the page http://procounter.% / installstat.php? ID =% s & crc =% s , at which is counter statistics the number of infected machines by the Trojan, and then increments the counter by 1. In addition, in the root directory WINDOWS Trojan searches for some kind of EXE-file (?) - %. exe , where the variable% has some definite value), and in case of such, creates a report file as well as downloadable Trojan program loadppc.exeantivirus detected as: Kaspersky Kaspersky 04.10.2005 sending engineers to antivirus company wrongly recognized by an expanded set of antivirus databases as a harmless compressed form) andGeneric.Malware.dld!! .1 F75253E (in uncompressed format) file loadppc.exe : Trojan.MulDrop.2590
This Trojan has a size of either 4128, or 8256 bytes (the latter if the file contains double the same code) is downloaded from the Internet and installed on the affected computer Trojan Trojan-Downloader.HackWeb.4809 . Copies of the Trojan Trojan-Downloader.LittleTroy.sexer saved to disk as files: for Windows 9X/ME: WINDOWS \ SYSTEM \ vxh8jkdq1.exe WINDOWS \ SYSTEM \ vxh8jkdq8.exe[random drive]: \ Temp \ 1.qtdfmp for Windows 2K/2K Server / XP: WINDOWS \ System32 \ vxh8jkdq1.exeWINDOWS \ System32 \ vxh8jkdq8.exe [random drive]: \ Temp \ 1.qtdfmp then file vxh8jkdq1.exeexecuted and copies itself to the same subdirectory named efsdfgxg . exe ; the last file and will be in the future and will take control at every startup of Windows. To enable a startup every time the system is the Trojan creates the following registry keys: for Windows drive]: \ \ WINDOWS \ \ SYSTEM \ \ efsdfgxg.exe "for Windows 2K/2K drive]: \ \ WINDOWS \ \ System32 \ \ efsdfgxg.exe " 1st key allows the Trojan to run simply as a component of the system startup, and 2nd - as a system service, resulting in a processefsdfgxg.exe will be loaded into memory twice. The Trojan will remain active until the shutdown, and while working on the Internet forcibly opens the web browser Internet Explorer, in which the search is to download the following link: http://sex-orgazm.com/ for this link is downloaded porn site, at frequent intervals the Trojan checks the connection to this server and if the site is not loaded (for example, if the user closes the window with a porn web page), then performs his recall. In attempts to download a porn site in the code is not a Trojan was found of any harmful procedures related to the loading on the affected computer any files have been or steal confidential data. file-copy of the Trojan - 1.qtdfmp , vxh8jkdq1.exe , vxh8jkdq8.exe andefsdfgxg.exe , anti-virus software detected so : Anti-Virus Kaspersky
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 18.09.2005
Date of last change: 04.04.2008
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment