TrojanDownloader:Win32/Wadolin.A is a trojan that bypasses firewall protection and downloads other files into the computer. It also sends information about the affected computer to a remote server.
Installation
TrojanDownloader:Win32/Wadolin.A may be dropped by other malware, such as TrojanDropper:Win32/Vundo.L, TrojanDownloader:Win32/Renos.GN, and others.
TrojanDownloader:Win32/Wadolin.A may be installed as any of the following files:
- %USERPROFILE%\Application Data\5.exe
- %USERPROFILE%\Application Data\d.exe
- %USERPROFILE%\Application Data\cd87.exe
- %USERPROFILE%\Application Data\e3.exe
It modifies the system registry so that it automatically starts every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32load"
With data: "<malware name> -lds"
Payload
Steals sensitive information
TrojanDownloader:Win32/Wadolin.A steals the following information about the affected computer, and sends the information to the server "vegas<removed>id.net":
- Windows Product ID
- Volume Serial Number
Modifies firewall and security settings
TrojanDownloader:Win32/Wadolin.A attempts to bypass the following programs:
- Windows firewall
- Agnitum Outpost firewall
- McAfee firewall
- McAfee behavior blocking
TrojanDownloader:Win32/Wadolin.A modifies the system registry so that Windows Firewall considers it an authorized application:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file>"
With data: "<malware file>:*:enabled:win32load"
If the Agnitum Outpost firewall is installed, TrojanDownloader:Win32/Wadolin.A attempts to write into the "\\.\\pipe\acsipc_server" pipe to disable it.
If the McAfee firewall is installed, TrojanDownloader:Win32/Wadolin.A writes into the following file to add an exception for itself:
- %AppData%\McAfee\Common Framework\SiteList.xml
To evade McAfee behavior blocking, it resets the value "AccessProtectionUserRules" in the registry key "HKLM\Software\McAfee\VSCore\On Access Scanner\BehaviourBlocking".
Downloads files
TrojanDownloader:Win32/Wadolin.A downloads the file "hide.dll" from the server "vegas<removed>id.net". This file is saved as "%TEMP%\df247f.dll".
Performs certain actions
TrojanDownloader:Win32/Wadolin.A continuously waits for instructions from the webpage "vegas<removed>id.net/doit.php". It may perform the following actions:
- Download an executable from a specified URL and run it
- Update itself
Analysis by Horea Coroiu