Trojan:Win32/Ertfor.A is the detection for a family of malware that consist of the executable dropper and its dropped files. It attempts to connect to certain websites and possibly download other malware.
Installation
Upon execution, Trojan:Win32/Ertfor.A drops the following files in the system, all of which are detected as Trojan:Win32/Ertfor.A:
- <system folder>\<random name 1>.dll - for example hjd94fg.dll
- <system folder>\<random name 2>.dll - for example kf93jfg.dll
- %temp%\winlogan.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then runs winlogan.exe.
It modifies the system registry so that its dropped EXE file runs every time Windows starts:
Adds value: "Hhjg5jfd93dftdf"
With data: "%temp%\winlogan.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "Hhjg5jfd93dftdf"
With data: "%temp%\winlogan.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It opens Windows explorer to mislead the user that this is the only action of its dropped EXE file.
It also creates the following registry entry as part of its malicious routine:
Adds value: "WINID"
With data: "<system time>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
It registers its dropped DLL files by running regsvr32.exe for both.
It also creates the following registry entries to register its dropped DLL files as BHO (Browser Helper Objects):
Adds value: "(default)"
With data: "<malware path and file name>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\<malware CLSID>
For example:
Adds value: "(default)"
With data: "<system folder>\hjd94fg.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{B5AC49A2-94F2-42BD-F434-2604812C897D}
Adds value: "(default)"
With data: "<system folder>\kf93jfg.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}
It also creates the following registry entry as part of its malicious routine:
Adds value: "<malware CLSID>"
With data: "<keyboard driver>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
For example:
Adds value: "{B5AC49A2-94F2-42BD-F434-2604812C897D}"
With data: "hkjr94jdfdgj"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Adds value: "{B5AF0562-94F3-42BD-F434-2604812C797D}"
With data: "hjkfj93dffd"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
It also creates the following registry entry:
Adds value: "ITBarLayout"
With data: "."
To subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar\Explorer
Payload
Disables System Restore
Trojan:Win32/Ertfor.A disables System Restore by creating the following registry entry:
Adds value: "Disable Config"
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Downloads and Executes Files
Trojan:Win32/Ertfor.A attempts to download and execute files from certain sites. Some of the sites it attempts to connect to are:
bestbsd.info
rezultsd.info
carrentalhelp.org
traffic-acc.com
traffic-ssl1.com
seproger.com
costrike.com
Analysis by Marian Radu