Follow:

 

TrojanDropper:Win32/Conhook.A


TrojanDropper:Win32/Conhook.A is a Trojan that drops and installs TrojanDownloader:Win32/Conhook.A.
 
TrojanDownloader:Win32/Conhook.A attempts to download content from a remote Web site. TrojanDownloader:Win32/Conhook.A injects its code into running processes which could, depending on configuration, allow the Trojan to bypass permission-based firewalls in order to gain Internet access.


What to do now

To recover manually from infection by TrojanDropper:Win32/Conhook.A, perform the following steps:
  • Disconnect from the Internet.
  • Identify the Trojan filename using the registry.
  • Delete the Trojan registry entry.
  • Restart the computer.
  • Delete the Trojan files from your computer.
  • Restart the computer.
  • Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Identify the Trojan filename using the registry

To identify the Trojan filename using the registry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to key:
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
  4. Write down the name found in the value "InprocServer32".

Delete the Trojan registry entry

To delete the Trojan registry entry
  1. If Registry Editor is running skip to item 3 below, otherwise on the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key:
    HKEY_CLASSES_ROOT\CLSID
  4. In the right pane, right-click the following value, if it exists: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
  5. Click Delete and click Yes to delete the value.
  6. In the left pane, navigate to the key:
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
  7. In the right pane, right-click the following value, if it exists: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
  8. Click Delete and click Yes to delete the value.
  9. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
  10. In the right pane, right-click the following value, if it exists: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
  11. Click Delete and click Yes to delete the value.
  12. Close the Registry Editor.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Delete the Trojan files from your computer

To delete the Trojan files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type %windir%\System32.
  3. Click OK.
  4. Click View and click Details.
  5. Click Name to sort files by name.
  6. Delete the Trojan file name obtained from "Identify the Trojan filename using the registry" instructions above.
  7. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  8. Click Yes to confirm the deletion.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

Threat behavior

TrojanDropper:Win32/Conhook.A is a Trojan that drops and installs TrojanDownloader:Win32/Conhook.A.
 
TrojanDownloader:Win32/Conhook.A attempts to download content from a remote Web site. TrojanDownloader:Win32/Conhook.A injects its code into running processes which could, depending on configuration, allow the Trojan to bypass permission-based firewalls in order to gain Internet access.
 
When TrojanDownloader:Win32/Conhook.A is run, it performs the following actions:
  • Installs itself to the <system folder> as a .DLL with a random five letter name such as 'hsujl.dll'.
  • The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
  • Modifies the registry to load the Trojan at Windows startup:
    Adds value: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
    To subkey: HKEY_CLASSES_ROOT\CLSID
    Adds value: InprocServer32
    With data: <system folder>\<Trojan filename>
    To subkey:
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
    Adds value: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
    To subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    Adds value: <Trojan filename>
    To subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • Creates mutex names "awx_mutant and "_ConsprMutex"
  • Injects code into Explorer.exe and Winlogon.exe
  • Injects code into "ad-aware.exe" to run code in an existing process
  • Attempts to terminate any running process named "gcasservalert.exe"
  • Attempts to download content from a remote Web site

Symptoms

The following symptoms may be indicative of a TrojanDropper:Win32/Conhook.A infection:
  • Presence of the following keys in the registry:
    HKEY_CLASSES_ROOT\CLSID\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.191.4348.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Oct 24, 2007
This entry was updated on: Oct 25, 2007

This threat is also detected as:
  • Trojan-Downloader.Win32.ConHook.n (Kaspersky)
  • Downloader-AGR (McAfee)
  • W32/ConHook.E (Norman)
  • Troj/ConHook-N (Sophos)
  • Trojan-Downloader.Gen (Sunbelt Software)
  • Downloader (Symantec)
  • PAK_Generic.001 (Trend Micro)