Follow:

 

Trojan:Win32/Dogrobot.A


Trojan:Win32/Dogrobot.A is a trojan that installs a trojan downloader, terminates security-related services and processes and may spread to other computers across a network by exploiting a vulnerability mitigated by Microsoft Security Bulletin MS08-067.


What to do now

To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials , or the Microsoft Safety Scanner . For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx .
 
 
Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067.

Threat behavior

Trojan:Win32/Dogrobot.A is a trojan that installs a trojan downloader, terminates security-related services and processes and may spread to other computers across a network by exploiting a vulnerability mitigated by Microsoft Security Bulletin MS08-067.
Installation
Trojan:Win32/Dogrobot.A may be installed by other malware such as Backdoor:Win32/Farfli.I. This trojan may be present as a DLL component in the Windows folder having names such as the following:
 
%windir%\jiocs.dll
%windir%\winsp.dll
 
Spreads Via…
Networked computers
This trojan may attempt to spread to other computers across a network by exploiting a vulnerability mitigated by Microsoft Security Bulletin MS08-067. The malware attempts to send exploit code that attacks the Windows Server service on discovered vulnerable computers. If the malware can successfully exploit the target computer, it could execute remote code that installs a copy of the malware.
Payload
Installs TrojanDownloader:Win32/Perkesh.gen!A
When Trojan:Win32/Dogrobot.A is run, it drops malware as the following:
 
%windir%\System32\windowsjiocs.dll - Trojan:Win32/Dogrobot.A
 
The dropped component "windowsjiocs.dll" is then executed using the Windows utility "rundll32.exe". The component "migsni.sys" is installed as a service and may be present as the name "Kisstusb".
 
Terminates processes
Trojan:Win32/Dogrobot.A attempts to kill the following security related processed if they are running:
 
kavstart.exe
kissvc.exe
kmailmon.exe
kpfw32.exe
kpfwsvc.exe
kwatch.exe
ccenter.exe
ras.exe
rstray.exe
rsagent.exe
ravtask.exe
ravstub.exe
ravmon.exe
ravmond.exe
avp.exe
360safebox.exe
360Safe.exe
Thunder5.exe
 
Downloads other malware
This trojan may attempt to download files or a list of linked files from the website "mck.o0oq.cn".
 
Analysis by Hong Jia

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %windir%\System32\windowsjiocs.dll
    %TEMP%\migsni.sys
  • Alert notifications from installed antivirus software may be the only other symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Oct 30, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Downloader.33720 (AhnLab)
  • Win32/Dogrobot.A (CA)
  • Trojan-Dropper.Win32.Agent.yjl (Kaspersky)
  • W32/Packed_Upack.A (Norman)
  • Troj/Agent-IDB (Sophos)