Follow:

 

TrojanDownloader:Win32/Horst.Q


TrojanDownloader:Win32/Horst.Q is the trojan downloader component of the Win32/Horst malware family. It connects to certain websites to download arbitrary files, which may be other malware.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDownloader:Win32/Horst.Q is the trojan downloader component of the Win32/Horst malware family. It connects to certain websites to download arbitrary files, which may be other malware.
Installation
TrojanDownloader:Win32/Horst.Q drops several copies of itself using commonly used Windows filenames such as the following:
esentutl.exe
clipsrv.exe
mstsc.exe
mstinit.exe
mqtgsvc.exe
rsvp.exe
sessmgr.exe
spoolsv.exe
ieudinit.exe
logman.exe
cisvc.exe
dllhst3g.exe
 
Note that by default the legitimate Windows files that use the same file names are located in the Windows system folder.
 
These copies may be dropped in the following folders:
%windir%
%windir%\System
%Temp%
%AppData%
%AppData%\Microsoft
<system folder>\drivers
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
For example:
%windir%\system\clipsrv.exe
%Temp%\logman.exe
 
This trojan modifies the system registry so that its dropped copies run automatically every time Windows starts. It does this by creating registry autostart entries in the following keys:
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
 
For example:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"SessMgr" = "%temp%\sessmgr.exe /waitservice"
 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"ClipSrv" = "%windir%\system\clipsrv.exe /waitservice"
 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load" = "%temp%\logman.exe"
 
It creates the mutex "3645FBCD-ECD2-23D0-BAC4-0FAB453DEF0B" to avoid running multiple copies of itself.
Payload
Downloads Arbitrary Files
TrojanDownloader:Win32/Horst.Q may attempt to update itself or possibly download other malware from the following websites:
  • gafermus.com
  • umabater.com
  • upseek.org
 
Please see the Win32/Horst family description for more information.
 
Analysis by Elda Dimakiling

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files in a location other than the Windows system folder:
    esentutl.exe
    clipsrv.exe
    mstsc.exe
    mstinit.exe
    mqtgsvc.exe
    rsvp.exe
    sessmgr.exe
    spoolsv.exe
    ieudinit.exe
    logman.exe
    cisvc.exe
    dllhst3g.exe

Prevention


Alert level: Severe
First detected by definition: 1.49.578.0
Latest detected by definition: 1.49.578.0 and higher
First detected on: Dec 16, 2008
This entry was first published on: Jan 21, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • :Trj/DNSChanger.NY (Panda)
  • Trojan-Downloader.Win32.Calac.ajq (Kaspersky)
  • Trojan-Downloader.Win32.Agent.arts (Kaspersky)