Follow:

 

Trojan:Win32/Trooti


Trojan:Win32/Trooti is a trojan that connects to a remote website to post data from an infected computer, and installs a dropped DLL as a Windows NT service.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Trooti is a trojan that connects to a remote website to post data from an infected computer, and installs a dropped DLL as a Windows NT service.
Installation
Trojan:Win32/Trooti is dropped by TrojanDropper:Win32/Machime.A as the following file:
 
%windir%\ime\wmimachine2.dll
 
It is also installed by as TrojanDropper:Win32/Machime.A a Windows NT service with the following registry entries:
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
Sets value: NextInstance
With data: dword:00000001
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000
Sets value: Service
With data: "6to4"
Sets value: Legacy
With data: dword:00000001
Sets value: ConfigFlags
With data: dword:00000000
Sets value: Class
With data: "LegacyDriver"
Sets value: ClassGUID
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: DeviceDesc
With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control
Sets value: *NewlyCreated*
With data: dword:00000000
Sets value: ActiveService
With data: "6to4"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: Type
With data: dword:00000020
Sets value: Start
With data: dword:00000002
Sets value: ErrorControl
With data: dword:00000001
Sets value: ImagePath
With data: '%SystemRoot%\\system32\\svchost.exe -k netsvcs'
Sets value: DisplayName
With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86"
Sets value: ObjectName
With data: "LocalSystem"
Sets value: Description
With data: "Microsoft .NET Framework NGEN"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: ServiceDll
With data: 'C:\WINDOWS\ime\wmimachine2.dll'
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Security
Sets value: Security
With data: hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum
Sets value: 0
With data: "Root\LEGACY_6TO4\0000"
Sets value: Count
With data: dword:00000001
Sets value: NextInstance
With data: dword:00000001
 
The trojan then deletes the original %windir%\ime\\wmimachine.dll file by creating the following registry entry:
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager PendingFileRenameOperations
Sets value: PendingFileRenameOperations
With data: \\??\\C:\\WINDOWS\\ime\\wmimachine.dll
Payload
Connects to remote websites
Trojan:Win32/Trooti attempts to connect to the following website to post data from infected machine:
 
http://tro2.6600.org:2/index.asp
 
Analysis by Rex Plantado

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:

    %windir%\ime\wmimachine2.dll
  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
  • Sets value: Type
    With data: dword:00000020
    Sets value: Start
    With data: dword:00000002
    Sets value: ErrorControl
    With data: dword:00000001
    Sets value: ImagePath
    With data: '%SystemRoot%\\system32\\svchost.exe -k netsvcs'
    Sets value: DisplayName
    With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86"
    Sets value: ObjectName
    With data: "LocalSystem"
    Sets value: Description
    With data: "Microsoft .NET Framework NGEN"
     
  • The presence of a service with the following name:
  •  
    .NET Runtime Optimization Service v2.086521.BackUp_X86

Prevention


Alert level: Severe
First detected by definition: 1.93.1040.0
Latest detected by definition: 1.93.1040.0 and higher
First detected on: Nov 03, 2010
This entry was first published on: Nov 03, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases