Tuesday, July 19, 2011

Trojan-Downloader.HackWeb.4577

VirusHunter warns computer users about the spread of the Internet a dangerous Trojan program Trojan-Downloader.HackWeb.4577 , which loads it onto the affected computer considerable amount of other malware, and blocking the work of a system service "Task Manager" (see also description of modifying Trojan -Downloader.HackWeb.4809 ) ...


1. Sources of contact with the car.

The source of infecting your computer Trojan Trojan-Downloader.HackWeb.4577 is, as usual, the Internet.At the same Trojan can get into the car in two ways. First - it is automatically saved on the target machine specially crafted image with malware inside. This archive is a parasitic component of any Web pages that are added by the attacker and saved automatically when you view it (page) content, followed by an extraction procedure and start the information contained in this archive of malware. Principle quite similar to that used Trojan family Trojan-Downloader.Dyfuca , but only more perfect and allows you to secretly run malicious code as a Windows 9X/ME, and under 2K/XP, updated to SP6 and SP2, respectively, as well as under Windows 2K3 ( 2003). 
Archive type that is used to distribute the Trojan is a CHM-file (file reference data), which is usually present in most distributions, custom and specialized programs, and is used to store the so-called "Topics" (from the English. "Topics") - background papers on the management of program usage. The beauty of this archive is that all the help-information is stored in one file in a compressed form, taking up very little space on your hard drive, and if you call a user program called Help the desired section to view the body directly from the archive without having to extract a background file from Archives of the body. Support that allows to open and view the contents of the CHM-archive, and, in fact, the format of compressed storage of reference data were originally developed by Microsoft, yet somewhere at the beginning of the creation of Windows. That's why this format is supported on all Windows, and its contents can be accessed for viewing, simply run the file archive. Moreover, as demonstrated by a Trojan program Trojan-Downloader.HackWeb.4577 , from CHM-file can be run to perform not only the help file, but any other malicious program, which in the Internet page simply vstroit definitely a reference to the CHM component. 
The archive contains a Trojan program Trojan-Downloader.HackWeb.4577 , a CHM-file size of about 15 kband with a name (for example, targ.chm ). As mentioned above, the archive is stored on the hard disk along with the other components of the design of various web pages that are loaded by the user. Location of temporary files is one of the subdirectories of the following system directory: for Windows 9X/ME : WINDOWS \ Temporary Internet Files \ Content.IE5 \ ... \ targ.chm for Windows 2K/XP : Documents and Settings \% user% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ ... \ targ.chm , where% user% - the current user name. When you save the file to disk automatically runs. The second way of getting a Trojan in the car - it downloads from the Internet and then running to perform any other Trojan, previously to infect your computer.














2. Installation of the system.

Depending on which of these paths will be recorded in the Trojan machine, the process of installing the system may vary somewhat. In the first version - getting into a car in the form of CHM-archive when you run this file you can see the following screen:


From the archive, in the same directory in which it is, removed a Trojan EXE-file, called web.exe (although it is possible that the title may be, etc.). Regardless of the version installed on a machine running Windows, this file is copied into a hidden subfolder system installed over the Internet software: WINDOWS \ Downloaded Program Files \ web.exe , where executed. This file has a size of 4577 bytes , compressed by the compression utility "FSG" version 2.0 to decompress a file size, an approximation to the original, was 40960 bytes. Most of the code is encrypted trojan crypt algorithm. After starting the Trojan process web.exeremains active until the end of the system. The second option to enter the machine - install other malware, Trojan, Trojan file is downloaded from the Internet and stored in the root of drive C: in the form of EXE-file with a name, for example: C: \ lo1367841195.exe From there he started to run. This file is identical web.exe . In both the first and second case, the activity of the Trojan process web.exe or, respectively,lo1367841195.exe maintained only until the completion of Windows, and then the files will no longer be executed and are is just a file junk. To be able to follow-up the Trojan copies the file web.exe or, respectively,lo1367841195.exe called kernels32.exe in one of the following system of subdirectories: for Windows 9X/ME: WINDOWS \ SYSTEM \ kernels32.exe for Windows 2K/XP: WINDOWS \ System32 \kernels32.exe Title kernels32.exe and its location is chosen, apparently, to hide, because in these sub-directories and is the main component of the kernel of Windows, called kernel32.dll . Agree that the nameskernels32 and kernel32 pretty similar, if also note that the "default" Windows does not show in the system explorer file extensions. Prior to the 1st reboot the Trojan performs the functions of file web.exe (or, respectively, lo1367841195.exe ), and kernels32.exe remains inactive, and after the 1st restart the computer in the future management will receive only a file kernels32.exe , which is to be able to auto every time Windows starts up the Trojan creates a registry entry as follows: under Windows Windows 2K/XP :[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] "Shell" = "Explorer.exe key (with the value " Shell ") is a system, the default value is "Shell" = "Explorer.exe"Trojan modifies the foregoing. Changed so the key can silently run the Trojan file kernels32.exe as a component of a graphical environment of Windows, supported by a system process "Explorer". 2nd key (with a value of " System ") allows file kernels32.exe run simply as a component of the system registry. Most likely, the author of the Trojan did not have at hand Windows 9X/ME and, therefore, not being sure that a th key work (in these versions of Windows such a key is simply not available, but a shell "Explorer" is invoked via the corresponding entries in the system.ini), he added, the process of creating versions of the system under these third key (with a value of " SystemTools "), which would allow file kernels32.exe and run as a service. Thus, all created by the Trojan are the keys to ensure that his file kernels32.exe will be launched for execution at system startup. However, the simultaneous start of the file and as a component graphical environment of Windows, and software as service under Windows 9X/ME causes the screen to the next message warning system Indexing Service














































Because the second appeal to the components of the shell is prohibited under these versions of Windows.This is to the Trojan, we can say is impersonating. In addition, again at the start of Windows 9X/ME, the Trojan opens a mistake for some reason a blank screen web browser Internet Explorer (side bug?).


3. Trojan blocking system service "Task Manager".

To eliminate the possibility of detection of an active process (and, later, active processes etc. Trojans to be installed on infected computers via the Internet), standard tools Windows, the Trojan blocks the system service "Task Manager" enables you to view a list of active processes running in the system, to obtain information about any current process and if desired end suspicious processes. To do this, the Trojan creates the following registry Windows registry does not exist, but, nevertheless, if there is any system servicetaskmgr.exe is disabled: when you try to run it through the command line or by pressing Ctrl + Alt + Del on the screen will fill up the following system message:







It should be noted that this procedure is not supported under Windows 98/ME, resulting in "Task Manager" is functional.


4. Download other malicious programs.

Throughout the work of the Trojan process kernels32.exe remains active and periodically checks Internet connection and access to port 80 protocol TCP / IP. If this port is not used any other program and an Internet connection is active, the Trojan communicates using a set "default" in the HTTP-protocol server to below (the values ​​of the domain blocks replaced me with the symbol "%" for security reasons ), which tries to find work following links (in the body of the Trojan are present in the encrypted checked and some others are located on the same server. If you can not find an active link, the Trojan opens on the target machine 53rd port protocol TCP / IP (download files) and secretly installs a number of other Trojans. As a place of storage downloads the Trojan creates the root arbitrarily chosen by the logical disk - for example, D:, a directory called D: \ Temp . In this directory are stored the following Trojan files: 1.qtdfmp - Trojan Trojan-Downloader.LittleTroy.1665 ;2.qtdfmp - Trojan program that offers to install several other Trojans ("SpySheriff" and "SpywareNo") under the guise of "Antitroyanskih" (Trojan file is not processed by any tools and has a size of 28,160 bytes , after the launch creates a copy of a C: \ winstall.exe and constantly scares user type messages Your Computer is infected! Windows detected spyware infection Has! ; detail its code has not been studied); 3.qtdfmp - not detected; 4.qtdfmp - not detected; 5.qtdfmp - Trojan Trojan-Downloader . HackWeb.small-A ;6.qtdfmp - Trojan Trojan-Downloader.HackWeb.small-D ; 7.qtdfmp - Trojan Trojan-Downloader.HackWeb.small-B . The files are copied to a subdirectory of the same system, where the himself kernels32.exe , under the following All these files are then launched for execution (exceptvxh8jkdq8.exe ) and subsequently operate independently. Report found and downloaded from the Internet keeps the Trojan files in an encrypted form in a file created them vx.tll , located in the same subdirectory of the system, and that kernels32. exe .
































5. Miscellaneous.

In addition to all the above actions Trojan also searches the root directory of the system to run on the execution of certain files (obviously, Trojans, set some other malicious program) with the names of the following "%" In the code of the virus indicated by symbols that are names of data files can have different meanings. The Trojan can decipher from his body and set in a unique logical system memory "tag" to identify his (?) and other Trojan (?) presence on the infected system: cxfbgvhhnhjmurr
















6. Detection and removal of a Trojan out of the car.

Trojan-Downloader.HackWeb.4577
 and loaded them trojans antivirus detected as: Kaspersky Kasperskyfile file file file file just as well) After removing the Trojan-Downloader.HackWeb.4577 recommended that you remove all the keys are created by him, except that which is associated with systemic component ofexplorer.exe (this key you can simply remove the reference to the Trojan file.) This must be done for the resumption of the "Task Manager" and in order to avoid at system startup messages appears on the form































Recover the "Task Manager" can be with the utility of a set of specials. Software from VirusHunter'a, which can be downloaded here . Before using the tool highly recommend reading the attached to a set of user manual. At the moment, developed and posted on our website the following description of the virus: Trojan-Downloader.HackWeb.4809






The study of malicious code and development description: Broido Herman (aka VirusHunter) 
Date Created: 04.10.2005 
Date of last change: 02.04.2006 
Author Description: Broido Herman (aka VirusHunter)

Trojan-Downloader.PowerScan.11

VirusHunter warns computer users about finding the Internet a Trojan program Trojan-Downloader.PowerScan.11 , propagated under the guise of anti-virus scanner to clean your computer from pornographic garbage ...


1. Installation of the system.

Trojan Trojan-Downloader.PowerScan.11 installed on computers via the Internet in the event that the car hit one of the notorious family of Trojans " Trojan-Downloader.ISTbar "- affected by the aforementioned Trojans computer as a file called powerscan.exe and the size of 70,144 bytes (compressed file compression utility "UPX" version 1.24, to decompress the form of its size is 184,320 bytes, while the bulk of its code encrypted) in the following sub-directories created by them within system folder "Program Files": Program Files \ PowerScan \ powerscan.exe Program Files \ IST \ powerscan.exe This program has a graphical interface, and "squints," under a scanner "PowerScan v1.1" to check the machine for the presence of "pornographic trash" .








2. Functional programs. Malicious actions.

When you start the program displays the following operating window:


Functionality of the program contains the following options: Option SCAN START - starts the process of scanning all hard drives on your computer to check for "pornographic garbage." In reality, the program simply looks for the following snippets of text (some are in the list of programs on several Vincent Azlea BridgetteBrittany Bunny Lain Cherry Chloe Christy Claudia Cock cumming clit cumshot cunt Chickscheerleader clitoris chicksride coyote Girls college Girls Doggy double Penetration Debbie DiamondDenisa Devon Dominica Draghixa Dick dildo dirty bird dirty babes deepthroat Erotic Emberejaculation Ebony euroangel Emmanuel felation freeporn Felacia Danay Felix Jameson JentealJessica Drake Jezebelle Jewel De Nyle jillkeley Jill Kelly Juanita kiddysex Kaitlyn Ashley KalaniKascha Keisha Kim mckay Kobe Kristina bluegirl Christina Britney Latina Little Jody LucindaLesbian latex Lolita levrette Lovette Masturbate Madison Margo Stevens Mariah Midori Monicamannequin Mini-skirt Mini-jupe mouthfuck Mature Monkey Love nenette Nadia Nikita Nikki TylerKournikova Naked nudity nudist nude nake nasty nympho nipple Orgy Oral Sex Orgasm PenetrationPapoose Patricia Precious Girl Piercing Vinyl pedophily Tight ass putes Pussy petsex pornstarsPenthouse Playboy Playboy playgirl Playgirl porn mail photonu porn putas panties panty PamelaPamela Pornstars penis Peter north Raped ramble rectal rocco Racquel Derrian Raylene RebeccaRON Services sexfarm sweet sexy Senior Sex Story smut squirt jstring Sabrina smack SwallowSpycam Sexual Sylvia Knight whip xx xxx All of these pieces of the program looks for names in graphics, animation (Macromedia Flash Player), and video files with these extensions: AVI mpg MPEG JPG JPEG gifTIF BMP asf wmf mov , as well as in the following system log files: cookies. txt netscape.hst index.dat If you find at least one of these files, the program indicates its location in the scan results (in the same way as do anti-virus scanners when it detects a malicious file), and at the end of the search process displays a message













































































































































































































































































































































Option SCAN STOP - stops scanning files. Clicking on any of the specified program "unnecessary" files, you can view their properties, such as:




Option CLEAN OUT YOUR COMPUTER - opens the Web-browser Internet Explorer to connect to the Internet through the 1025-th or any subsequent port machine (if the 1025-D, for any reason unavailable), causing the search link (part of the link for security reasons, I replaced the symbol "%") http://www.slotch.com/% /% / ist_shortcuts_jump.php? fav_id = 209 through this site attempts to download Trojan hidden in the car and run some other Trojan program. At the same time that the user did not suspect anything, the link in the search box Web-browser is redirected to other software website (with a real program of cleaning debris pornographic








During file upload program communicates with a remote machine on which the files are located, the technical data in the form of the following messages: item found items found Power Scan Uploaded files recorded program in the registry created by her 2 class PowerScan automaticly at Windows Startup - if a user on their own to celebrate, "bird" this option, the program will be loaded at every system startup, showing its main window (or, if you remove the "bird", the Startup programs will be removed from the system). To enable a startup program adds the following registry keys: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] "Power Scan" = "C: \ \ Program Files \ \ [name 2nd key of the program is not entirely clear - perhaps it is used to store some overhead. Option ABOUT PowerScan - displays the following window:























Option unInstall PowerScan - opens Internet Explorer, in which the program is a link http://www.power-scan.com/remove.html This link is loaded into the car harmless file power_remove.exe size of 5120 bytes(also compressed utility "UPX" version 1.24, in the form of uncompressed size is 32768 bytes.) This file is a harmless program that removes " PowerScan "out of the car, he (the file) is sent to antivirus companies," Eugene Kaspersky Lab "(Kaspersky AntiVirus) and" Softwin "(BitDefender Professional), as anti-virus database developers mistakenly detect it as Trojan But now, since 17/09/2005, false recognition has been corrected and the file power_remove.exe no longer be detected as malware. When you startpower_remove.exe copies itself to the temporary file directory system or the current user, depending on the type installed on a computer running Windows called uninstall.exe : for Windows 9X/ME: WINDOWS \ TEMP \ uninstall.exe for Windows Server 2K/2K / XP: Documents and Settings \% user% \ Local Settings \ TEMP \ uninstall.exe file is then run on execution, giving on-screen window with the following menu:

















If the user selects no , then uninstall.exe just quits, and if you selected Yes , the uninstall.exe removes registry keys from the startup as prescribed by the program " PowerScan ", terminates the process of system memory Program Files \ Power Scan \ powerscan.exe and this removes the subdirectory with the file powerscan.exe (Note: If " PowerScan "was installed in a subdirectory so, the uninstall.exe removes only the keys created by the Trojan autorun). Next uninstall.exe displays a message


, Completing its work on this. After the removal process " PowerScan "both files - power_remove.exe and copy uninstall.exe represent no more than a garbage file.


7. Detection and removal of Trojan.

At the time of this description of anti-virus software detected Trojan-Downloader.PowerScan.11 (filepowerscan.exe ) under such identification names: Kaspersky AntiVirus Kaspersky : Trojan-Downloader.Win32.IstBar.gg Antivirus BitDefender Professional : Trojan.Downloader.IstBar.GG AntivirusDrWeb : Adware.PowerScan In identifying the computer this program, simply delete the filepowerscan.exe with a subdirectory in which it resides. Also, to remove a Trojan you may use the above author's original utility, which can be downloaded here .










8. Other modifications detected Trojan.

Were discovered two versions of the Trojan (apparently - the earlier and later) that are virtually identical to that described above version, and differ from it only in fewer search fragments of text that is used to "discover" the pornographic trash. 
Both are also called powerscan.exe and have size 69 120 bytes and 71,680 bytes respectively (compression utility files are compressed "UPX" version 1.24, in the form of their uncompressed size is 184,320 bytes and 241,664 bytes respectively, while the bulk of the code is encrypted). 
At the time of writing anti-virus Company data detected two variants powerscan.exe under such identification names: Antivirus Kaspersky AntiVirus : Not-a-virus: AdWare.PowerScan.b, d (extended set of antivirus database updates) Antivirus BitDefender Professional : ignored Antivirus DrWeb : Adware.PowerScan






The study of malicious code and development description: Broido Herman (aka VirusHunter) 
Date Created: 18.09.2005 
Date of last change: 13.12.2005 
Author Description: Broido Herman (aka VirusHunter)