The source of infecting your computer Trojan Trojan-Downloader.HackWeb.4577 is, as usual, the Internet.At the same Trojan can get into the car in two ways. First - it is automatically saved on the target machine specially crafted image with malware inside. This archive is a parasitic component of any Web pages that are added by the attacker and saved automatically when you view it (page) content, followed by an extraction procedure and start the information contained in this archive of malware. Principle quite similar to that used Trojan family Trojan-Downloader.Dyfuca , but only more perfect and allows you to secretly run malicious code as a Windows 9X/ME, and under 2K/XP, updated to SP6 and SP2, respectively, as well as under Windows 2K3 ( 2003).
Archive type that is used to distribute the Trojan is a CHM-file (file reference data), which is usually present in most distributions, custom and specialized programs, and is used to store the so-called "Topics" (from the English. "Topics") - background papers on the management of program usage. The beauty of this archive is that all the help-information is stored in one file in a compressed form, taking up very little space on your hard drive, and if you call a user program called Help the desired section to view the body directly from the archive without having to extract a background file from Archives of the body. Support that allows to open and view the contents of the CHM-archive, and, in fact, the format of compressed storage of reference data were originally developed by Microsoft, yet somewhere at the beginning of the creation of Windows. That's why this format is supported on all Windows, and its contents can be accessed for viewing, simply run the file archive. Moreover, as demonstrated by a Trojan program Trojan-Downloader.HackWeb.4577 , from CHM-file can be run to perform not only the help file, but any other malicious program, which in the Internet page simply vstroit definitely a reference to the CHM component.
The archive contains a Trojan program Trojan-Downloader.HackWeb.4577 , a CHM-file size of about 15 kband with a name (for example, targ.chm ). As mentioned above, the archive is stored on the hard disk along with the other components of the design of various web pages that are loaded by the user. Location of temporary files is one of the subdirectories of the following system directory: for Windows 9X/ME : WINDOWS \ Temporary Internet Files \ Content.IE5 \ ... \ targ.chm for Windows 2K/XP : Documents and Settings \% user% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ ... \ targ.chm , where% user% - the current user name. When you save the file to disk automatically runs. The second way of getting a Trojan in the car - it downloads from the Internet and then running to perform any other Trojan, previously to infect your computer.
Depending on which of these paths will be recorded in the Trojan machine, the process of installing the system may vary somewhat. In the first version - getting into a car in the form of CHM-archive when you run this file you can see the following screen:
From the archive, in the same directory in which it is, removed a Trojan EXE-file, called web.exe (although it is possible that the title may be, etc.). Regardless of the version installed on a machine running Windows, this file is copied into a hidden subfolder system installed over the Internet software: WINDOWS \ Downloaded Program Files \ web.exe , where executed. This file has a size of 4577 bytes , compressed by the compression utility "FSG" version 2.0 to decompress a file size, an approximation to the original, was 40960 bytes. Most of the code is encrypted trojan crypt algorithm. After starting the Trojan process web.exeremains active until the end of the system. The second option to enter the machine - install other malware, Trojan, Trojan file is downloaded from the Internet and stored in the root of drive C: in the form of EXE-file with a name, for example: C: \ lo1367841195.exe From there he started to run. This file is identical web.exe . In both the first and second case, the activity of the Trojan process web.exe or, respectively,lo1367841195.exe maintained only until the completion of Windows, and then the files will no longer be executed and are is just a file junk. To be able to follow-up the Trojan copies the file web.exe or, respectively,lo1367841195.exe called kernels32.exe in one of the following system of subdirectories: for Windows 9X/ME: WINDOWS \ SYSTEM \ kernels32.exe for Windows 2K/XP: WINDOWS \ System32 \kernels32.exe Title kernels32.exe and its location is chosen, apparently, to hide, because in these sub-directories and is the main component of the kernel of Windows, called kernel32.dll . Agree that the nameskernels32 and kernel32 pretty similar, if also note that the "default" Windows does not show in the system explorer file extensions. Prior to the 1st reboot the Trojan performs the functions of file web.exe (or, respectively, lo1367841195.exe ), and kernels32.exe remains inactive, and after the 1st restart the computer in the future management will receive only a file kernels32.exe , which is to be able to auto every time Windows starts up the Trojan creates a registry entry as follows: under Windows Windows 2K/XP :[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] "Shell" = "Explorer.exe key (with the value " Shell ") is a system, the default value is "Shell" = "Explorer.exe"Trojan modifies the foregoing. Changed so the key can silently run the Trojan file kernels32.exe as a component of a graphical environment of Windows, supported by a system process "Explorer". 2nd key (with a value of " System ") allows file kernels32.exe run simply as a component of the system registry. Most likely, the author of the Trojan did not have at hand Windows 9X/ME and, therefore, not being sure that a th key work (in these versions of Windows such a key is simply not available, but a shell "Explorer" is invoked via the corresponding entries in the system.ini), he added, the process of creating versions of the system under these third key (with a value of " SystemTools "), which would allow file kernels32.exe and run as a service. Thus, all created by the Trojan are the keys to ensure that his file kernels32.exe will be launched for execution at system startup. However, the simultaneous start of the file and as a component graphical environment of Windows, and software as service under Windows 9X/ME causes the screen to the next message warning system Indexing Service
Because the second appeal to the components of the shell is prohibited under these versions of Windows.This is to the Trojan, we can say is impersonating. In addition, again at the start of Windows 9X/ME, the Trojan opens a mistake for some reason a blank screen web browser Internet Explorer (side bug?).
To eliminate the possibility of detection of an active process (and, later, active processes etc. Trojans to be installed on infected computers via the Internet), standard tools Windows, the Trojan blocks the system service "Task Manager" enables you to view a list of active processes running in the system, to obtain information about any current process and if desired end suspicious processes. To do this, the Trojan creates the following registry Windows registry does not exist, but, nevertheless, if there is any system servicetaskmgr.exe is disabled: when you try to run it through the command line or by pressing Ctrl + Alt + Del on the screen will fill up the following system message:
It should be noted that this procedure is not supported under Windows 98/ME, resulting in "Task Manager" is functional.
Throughout the work of the Trojan process kernels32.exe remains active and periodically checks Internet connection and access to port 80 protocol TCP / IP. If this port is not used any other program and an Internet connection is active, the Trojan communicates using a set "default" in the HTTP-protocol server to below (the values of the domain blocks replaced me with the symbol "%" for security reasons ), which tries to find work following links (in the body of the Trojan are present in the encrypted checked and some others are located on the same server. If you can not find an active link, the Trojan opens on the target machine 53rd port protocol TCP / IP (download files) and secretly installs a number of other Trojans. As a place of storage downloads the Trojan creates the root arbitrarily chosen by the logical disk - for example, D:, a directory called D: \ Temp . In this directory are stored the following Trojan files: 1.qtdfmp - Trojan Trojan-Downloader.LittleTroy.1665 ;2.qtdfmp - Trojan program that offers to install several other Trojans ("SpySheriff" and "SpywareNo") under the guise of "Antitroyanskih" (Trojan file is not processed by any tools and has a size of 28,160 bytes , after the launch creates a copy of a C: \ winstall.exe and constantly scares user type messages Your Computer is infected! Windows detected spyware infection Has! ; detail its code has not been studied); 3.qtdfmp - not detected; 4.qtdfmp - not detected; 5.qtdfmp - Trojan Trojan-Downloader . HackWeb.small-A ;6.qtdfmp - Trojan Trojan-Downloader.HackWeb.small-D ; 7.qtdfmp - Trojan Trojan-Downloader.HackWeb.small-B . The files are copied to a subdirectory of the same system, where the himself kernels32.exe , under the following All these files are then launched for execution (exceptvxh8jkdq8.exe ) and subsequently operate independently. Report found and downloaded from the Internet keeps the Trojan files in an encrypted form in a file created them vx.tll , located in the same subdirectory of the system, and that kernels32. exe .
In addition to all the above actions Trojan also searches the root directory of the system to run on the execution of certain files (obviously, Trojans, set some other malicious program) with the names of the following "%" In the code of the virus indicated by symbols that are names of data files can have different meanings. The Trojan can decipher from his body and set in a unique logical system memory "tag" to identify his (?) and other Trojan (?) presence on the infected system: cxfbgvhhnhjmurr
Trojan-Downloader.HackWeb.4577 and loaded them trojans antivirus detected as: Kaspersky Kasperskyfile file file file file just as well) After removing the Trojan-Downloader.HackWeb.4577 recommended that you remove all the keys are created by him, except that which is associated with systemic component ofexplorer.exe (this key you can simply remove the reference to the Trojan file.) This must be done for the resumption of the "Task Manager" and in order to avoid at system startup messages appears on the form
Recover the "Task Manager" can be with the utility of a set of specials. Software from VirusHunter'a, which can be downloaded here . Before using the tool highly recommend reading the attached to a set of user manual. At the moment, developed and posted on our website the following description of the virus: Trojan-Downloader.HackWeb.4809
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 04.10.2005
Date of last change: 02.04.2006
Author Description: Broido Herman (aka VirusHunter)