Win32/Cleaman is a family of multi-component, obfuscated trojans that are distributed via drive-by exploit kits. Its main purpose is to redirect Bing, Google, and Yahoo search results to bogus webpages that serve advertisements, adware programs, and malware.
Installation
Win32/Cleaman is usually distributed by drive-by exploits kit. We have seen members of this family bundled with exploits that are variants of Exploit:Java/CVE-2010-0840 and Exploit:Java/CVE-2011-3544. It usually arrives protected by custom packers, injectors, or crypters, for example, VirTool:Win32/CeeInject.gen!DZ.
Win32/Cleaman creates .EXE and .DLL components with any of the following names:
- %AppData%\dplaysvr.exe
- %AppData%\bhelper.exe
- %AppData%\cleanddm.exe
- %AppData%\cleanhdd.exe
- %AppData%\cleanhdm.exe
- %AppData%\cleanhelper.exe
- %AppData%\cleanhlm.exe
- %AppData%\cleanhtm.exe
- %AppData%\cleanmgr.exe
- %AppData%\compmgm.exe
- %AppData%\volmgr.exe
- %AppData%\dplayx.dll
- %AppData%\bhelper.dll
- %AppData%\cleanddm.dll
- %AppData%\cleanhdd.dll
- %AppData%\cleanhdm.dll
- %AppData%\cleanhelper.dll
- %AppData%\cleanhlm.dll
- %AppData%\cleanhtm.dll
- %AppData%\cleanmgr.dll
- %AppData%\compmgm.dll
- %AppData%\volmgr.dll
Note: Some of the file names of the drop files listed here are similar to clean Windows system files.
Win32/Cleaman also creates the following registry entries to ensure that its dropped files run every time Windows starts.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "%AppData%\<malware file>.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware value>"
With data: "%AppData%\<malware file>.exe"
For example:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "dplaysvr"
With data: "%AppData%\dplaysvr.exe"
Win32/Cleaman may create a .LNK file in <common startup folder>, which points to the malware file. The .LNK file name is the same as the .EXE component.
It may also create a randomly-named empty text file as an infection marker.
It then connects to an attacker's website to send the following information:
- Identifier and version of itself
- Infected computer's name
Win32/Cleaman hooks the following APIs to redirect Internet access and also to hide its malicious files, threads and process, and registry entries:
- Within ntdll.dll
- ntresumethread
- ntenumeratevaluekey
- ntquerysysteminformation
- ldrloaddll
- Within kernel32.dll
- findfirstfilea
- findnextfilea
- findfirstfilew
- findnextfilew
- Within ws2_32.dll
Payload
Modifies Hosts file
Win32/Cleaman modifies the Windows Hosts file by adding the following values:
- 80.79.117.219 www.google.com
- 80.79.117.220 search.yahoo.com
- 80.79.117.220 www.bing.com
Redirects web searches
Win32/Cleaman monitors the user's web browsing behavior, and redirects the browser if you visit certain websites. When you visit Bing, Google, or Yahoo to do web searches, your browser is redirected to a specific IP address, for example, "80.79.117.219".
Analysis by Rodel Finones