Threat behavior
Installation
Trojan:Win32/Clort.A!exploit may be installed by Trojan:Win32/Clort.A.dr. In the wild, Win32/Clort.A.dr may exist as a file named 'MS08067a.exe'. When executed, it drops two executables:
Win32/Clort.A.dr then executes 'winlogon.exe'.
Payload
Launches MS08-067 Attack
When Trojan:Win32/Clort.A is executed, it creates a mutex named ‘2008-MS08-067_TEST’ and exits if it already exists. This trojan connects to a remote site to retrieve target information, or IP address range data for the trojan to attack. The data is retrieved from the domain address 'gsinvest.gov.cn/*******/VoteModiy.asp'.
Next, Win32/Clort.A executes %TEMP%\svchost.exe, attacking IP addresses provided by text from the page 'VoteModify.asp'. It tries to connect to port 139, and if successful, launches
%TEMP%\svchost.exe <IP address>
Downloads Other Malware
If a target computer is exploited, Win32/Clort.A!exploit executes shell code that instructs the target to
Win32/VB.CJ is a trojan that downloads other malware. When run, it attempts to download
TrojanDownloader:Win32/VB.CQ from the domain 'nowbt.net' as a file named 'cpa.exe'.
Downloads Adware
After TrojanDownloader:Win32/VB.CQ is downloaded it is run. It attempts to connect to the Web address 'cpa123.cn' and downloads adware.
Analysis by Aaron Putnam
Prevention