Installation
Variants of TrojanDownloader:Win32/Xolondox are usually downloaded with a fake program names that are designed to trick you into opening and running them.
Our observations show the trojans are downloaded through Thunder (an internet download manager) by pretending to be a legitimate program or file, such as:
- Superpi.exe
- UDown_3.3.1.13.exe
- wrar420sc.exe
They may also be sent or downloaded onto your machine by pretending to be email or system files, for example:
- Hotmail.zip
- primary.eml
- Server.exe
Once run, the trojans install the following files on your computer:
They also modify the following registry entries to make sure they run at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\AENGFU3AA-B933-11d2-9CBD-0000F87A369E
Sets value: "(Default)"
With data: "ver933"
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\AENGFU3AA-B933-11d2-9CBD-0000F87A369E
Sets value: "stubpath"
With data: "%windir%\Qedie\conime.exe"
Payload
Downloads other files
The trojan downloaders connect to remote servers to download an image to the %TEMP% folder, for example:
- http://127.0.0.1.jk136.com:123/<removed>/js/top.gif
- http://222.186.43.147:88/<removed>/loog.gif
- http://222.186.43.147:88/<removed>/loog4.gif
- http://dl.qvodplay.org:888/<removed>.gif
- http://hs.9ycj.com:808/sogou/<removed>/hs.gif
- http://wangma88.3322.org:888/<removed>.gif
The image includes an encrypted URL that points to an executable file on a remote server. The trojans decrypt the URL and download the file as "%windir%\Qedir\<random name>.exe". This is a different folder than the one where the trojan was originally downloaded. For example, "%windir%\Qedir\fcnynqdt.exe"or "%windir%\Qedir\majcqlzc.exe".
At the time of analysis, the servers were not available and we are unable to confirm the exact nature of the downloaded executable file. However, these trojans have been seen to download other malware, including TrojanDropper:Win32/Dowque.A - a trojan that also downloads other malware.
Steals information about you and your computer
Variants of TrojanDownloader:Win32/Xolondox send information that identifies your computer to a remote attacker at "http://killer.ignorelist.com:10086/images/<removed>/count.asp". This information includes your computer's MAC address (a unique code that identifies your computer) and an identifier code used by the malware.
Additional information
TrojanDownloader:Win32/Xolondox variants also create a mutex named "XLXNDXS", possibly as an infection marker to prevent multiple instances running on your computer.
Analysis by Jeong Mun