In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<name2>" = %AppData%\<name>.exe|
<name2> is chosen at random from the list below:
CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init
Payload
The Trojan connects to servers to download and run malicious code. The server addresses are saved to the system registry key shown below:
HKCU\Software\Microsoft\Internet Explorer\Settings\"GatesList"
The Trojan saves its settings to the registry keys shown below:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GID"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyM"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyE"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"PID
The malicious code downloaded from the servers is designed to harvest information from the victim machine (user name, login data, program passwords, local and network passwords).
The Trojan can also be configured to steal login and password data for Internet banking systems by substituting spoofed pages for genuine banking system pages. The program targets popular financial organizations such as the ones listed below:
https://www.hsbc.co.uk
https://www.mybusinessbank.co.uk
https://investing.schwab.com
The Trojan will regularly download updates to its code and additional modules. The programs downloaded include:
- Trojan programs designed to steal bank account data
- Trojans designed to steal passwords to common applications such as:
Browsers
- IE Password Protected Sites
- IE AutoComplete Fields
- Firefox
- Opera
Messengers
- MSN Messenger
- ICQ
- IRQ
- Trillian
- Miranda IM
- Camfrog Video Chat
- Easy Web Cam
- Google Talk
FTP Programs
- Total Commander
- WS FTP
- SecureFX FTP
- WebDrive Ftp
- FtpVoyager
- AutoFTP
- FTP Control
- 32bit Ftp
- FTP Navigator
- Far FTP
- FlashFXP FTP
- CuteFTP
- CoffeeCup FTP
- FileZilla FTP
- FTP Now
- CoreFTP
- SmartFTP
Other Programs
- Outlook Express
- Dial Up
- VNC
- Remote Desktop
- WinProxy
- Google Desktop
Network propagation
In order to spread via the local network, the Trojan ties to copy itself to network machines by using ipc$ and admin$ and also shared folders. In order to launch itself on networked machines, the Trojan uses a legitimate utility, Sysinternal's psexec.exe.
Note
In order to prevent the malicious program spreading via networks, servers used by domain administrators should be disinfected. Additionally strong passwords should be used on local machines.
The Trojan downloads a variety of code from servers. This code can be modified or replaced with other malicious code. At the time of writing, the Trojan was configured to connect to the addresses listed below:
panel.***boora.cn
147.202.39.***
174.36.82.***
195.12.38.***
195.189.247.***
195.225.236.***
205.234.231.***
209.51.159.***
209.85.120.***
61.153.3.***
64.18.143.***
66.128.55.***
66.199.237.***
66.199.237.***
66.225.237.***
66.7.197.***
75.102.23.***
The Trojan only runs on English versions of Windows.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the malicious process.
- Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
- Delete the file created by the backdoor:
%AppData%\<name>.exe
- Delete the following system registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<name2>" = %AppData%\<name>.exe
Dear visitor,
you have not login.We recommend you to be registered and login.
MainPage (0 / 197)
FeedBack
RSS
SiteMap
Tag : 
Comments (0)
