Installation
Threats in this family can be installed by macro malware downloader families such as Donoff, Adnel, and Bartallex. These malware families spread using malicious macros in Microsoft Office files that are attached to spam emails.
When the malicious macro runs, a variant of Drixed is downloaded and run from %TEMP% using a random file name, for example %TEMP%\444.exe.
This file is deleted by the malware after it runs.
The malware also looks for the MpsSvc service in the registry and stops it.
It adds itself to the firewall exception list by modifying the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
With Value: "<random ID>"
With Data: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=c:\windows\system32\explorer.exe|Name=Core Networking - Multicast Listener Done (ICMPv4-In)"
Payload
Steals your online banking credentials
The malware can steal your online banking user names and passwords. It targets mostly European banks by using various techniques tailored to the bank's security measures.
It monitors the following web browsers:
-
Google Chrome
-
Internet Explorer
-
Mozilla Firefox
-
Opera Browser
Depending on the website visited, the malware can inject its own HTML code into the website in an attempt to steal your credentials.
Collects your sensitive information
This threat collects information about your PC and sends it to its command and control (C&C) server, including your:
- PC name
- User name
- Operating system version
- Operating system architecture
- Install date
- Installed software
We have seen it connect to the following remote hosts:
-
41.0.<removed>.178
-
92.63.<removed>.92
-
109.72.<removed>.140
-
178.32.<removed>.22
Depending on the answer the malware receives it can then download its backdoor component.
Gives a malicious hacker access to your PC
This malware can give a malicious hacker access and control of your PC. It does this by downloading a backdoor component that injects its code into the clean process explorer.exe.
It can then be used to steal further system information as well as download other components or malware.
Stops your security product from running
Variants in this family can stop your security product from working. They check for the following security-related process and stops them:
_avpm a2guard aavshield advchk ahnsd airdefense alertsvc almon alogserv alsvc amon anti-trojan antivir ants apvxdwin armor2net ashavast ashdisp ashenhcd ashmaisv ashpopwz ashserv ashsimpl ashskpck ashwebsv aswupdsv atcon atupdater atwatch aupdate autodown autotrace autoupdate avast avcenter avciman avconsol avengine avgamsvr avgcc avgcc32 |
avgctrl
avgemc
avgfwsrv
avgnt
avgntdd
avgntmgr
avgserv
avguard
avgupsvc
avinitnt
avkserv
avkservice
avkwctl
avp
avp32
avpcc
avpm
avpupd
avsched32
avsynmgr
avwupd32
avwupsrv
avxmonitor9x
avxmonitornt
avxquar
avz
backweb-4476822
bdmcon
bdnews
bdoesrv
bdss
bdsubmit
bdswitch
blackd
blackice
cafix
ccapp
ccenter
ccevtmgr
ccproxy
ccsetmgr
|
cfiaudit
clamtray
clamwin
claw95
claw95cf
cleaner
cleaner3
clisvc
cmgrdian
cpd
cureit
defwatch
doors
drvirus
drwadins
drweb32w
drwebscd
drwebupw
egui
ekrn
escanh95
escanhnt
ewidoctrl
ezantivirusregistrationcheck
f-agnt95
f-prot95
f-sched
f-stopw
fameh32
fast
fch32
filemon
firesvc
firetray
firewall
fpavupdm
freshclam
fsav32
fsavgui
fsbwsys
fsdfwd
|
fsgk32
fsgk32st
fsguiexe
fsma32
fsmb32
fspex
fssm32
gcasdtserv
gcasserv
giantantispywaremain
giantantispywareupdater
guardgui
guardnt
hregmon
hrres
hsockpe
hupdate
iamapp
iamserv
icload95
icloadnt
icmon
icssuppnt
icsupp95
icsuppnt
iface
inetupd
inocit
inorpc
inort
inotask
inouptng
iomon98
isafe
isatray
isrv95
issvc
kav
kavmm
kavpf
kavpfw
|
kavstart
kavsvc
kavsvcui
kmailmon
kpfwsvc
kwatch
lockdown2000
logwatnt
luall
lucomserver
luupdate
mbam
mbamgui
mbamservice
mcagent
mcmnhdlr
mcregwiz
mcupdate
mcvsshld
minilog
myagtsvc
myagttry
navapsvc
navapw32
navlu32
navrunr
navw32
navwnt
neowatchlog
neowatchtray
nisserv
nisum
nmain
nod32
nod32cc
nod32krn
nod32kui
nod32m2
normist
notstart
npavtray
qhonline
npfmntor
|
npfmsg
nprotect
nsched32
nsmdtr
nssserv
nsstray
ntrtscan
ntxconfig
nupgrade
nvc95
nvcod
nvcte
nvcut
nwservice
ofcpfwsvc
outpost
pav
pavfires
pavfnsvr
pavkre
pavprot
pavproxy
pavprsrv
pavsrv51
pavss
pccguide
pcciomon
pccntmon
pccpfw
pcctlcom
pctav
persfw
pertsk
pervac
pnmsrv
pop3trap
poproxy
prevsrv
psimsvc
qhm32 qhonsvc qhpf
|
qhwscsvc
ravmon
ravtimer
realmon
realmon95
rfwmain
rtvscan
rtvscn95
rulaunch
savadminservice
savmain
savprogress
savscan
scan32
scanningprocess
sdhelp
shstat
sitecli
spbbcsvc
sphinx
spiderml
spidernt
spiderui
spybotsd
spyxx
ss3edit
stopsignav
swagent
swdoctor
swnetsup
symlcsvc
symproxysvc
symsport
symwsc
synmgr
taumon
tbmon
tds-3 teatimer tfak thav thsm tmas
|
tmlisten
tmntsrv
tmpfw
tmproxy
tnbutil
trjscan
up2date
vba32ecm
vba32ifs
vba32ldr
vba32pp3
vbsntw
vchk
vcrmon
vettray
viruskeeper
vptray
vrfwsvc
vrmonnt
vrmonsvc
vrrw32
vsecomr
vshwin32
vsmon
vsserv
vsstat
watchdog
webproxy
webscanx
webtrap
wgfe95
winaw32
winroute
winss
winssnotify
wradmin
wrctrl
xcommsvr
zatutor
zauinst
zlclient
zonealarm
|
Analysis by Alden Pornasdoro