Trojan:MSIL/Toshruli.A is a trojan that downloads malicious software, and modifies the affected user's browser settings to redirect them to a malicious website.
Payload
Redirects to specific website
The trojan makes the following registry modifications in order to redirect the user to a specific website:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyOverride"
With data: "content-help.ru;www.content-help.ru"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyServer"
With data: "<not shown>:80"
Trojan:MSIL/Toshruli.A also writes a file to c:\windows\system32\drivers\etc\hosts.txt which roughly translates to:
“Send an sms and do not suffer… Real cost of SMS is 150 rubles, and the call of the programmer of rubles 500 minimum:)”.
Displays messages
When the file is run, it displays a message box in Russian that says there is an error in the file and please read the manual. It looks like this:
Modifies Hosts file
The trojan modifies the Windows Hosts files. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
|
At the time of publication, we observed the trojan redirecting the following websites:
|
|
www.vkontakte.ru
vkontakte.ru
www.vk.com
vk.com
durov.ru
www.durov.ru
www.kaspersky.ru
kaspersky.ru
www.odnoklassniki.ru
odnoklassniki.ru
www.odnoklasniki.ru
odnoklasniki.ru
ya.ru
www.ya.ru
yandex.ru
www.yandex.ru
mail.ru
www.mail.ru
rambler.ru
www.rambler.ru
google.ru
www.google.ru
google.com
www.google.com
www.depositfiles.com
depositfiles.com
www.9help.me
9help.me
www.drweb.com
drweb.com
www.livejournal.com
livejournal.com
www.i-jet.ru
i-jet.ru
www.freedrweb.com
freedrweb.com
www.dr-web.ru
dr-web.ru
www.babyblog.ru
babyblog.ru
www.esetnod32.ru
esetnod32.ru
www.freedrweb.com
freedrweb.com
www.rutracker.org
rutracker.org
www.wikipedia.org
wikipedia.org
ru.wikipedia.org
www.zaycev.net
zaycev.net
www.torrents.ru
torrents.ru
www.aport.ru
aport.ru
www.qip.ru
qip.ru
www.qip.com
qip.com
www.a1help.ru
a1help.ru
www.help.goldfon.ru
|
help.goldfon.ru
www.loveplanet.ru
loveplanet.ru
www.icq.com
icq.com
www.narod.ru
narod.ru
www.pda.vkontakte.ru
pda.vkontakte.ru
www.youtube.com
youtube.com
www.loveplanet.ru
loveplanet.ru
www.ya.ru
ya.ru
www.my.mail.ru
my.mail.ru
www.ixbit.ru
ixbit.ru
www.otvet.mail.ru
otvet.mail.ru
www.download.drweb.com
download.drweb.com
www.freedrweb.com
freedrweb.com
www.forum.kaspersky.com
forum.kaspersky.com
www.virusinfo.info
virusinfo.info
www.livejournal.com
livejournal.com
www.livejournal.ru
livejournal.ru
www.forum.drweb.com
forum.drweb.com
www.otvet.ukrhome.net
otvet.ukrhome.net
otvety.google.ru
otvety.google.com
www.forum.ru-board.com
forum.ru-board.com
www.msn.com
msn.com
www.mamba.com
mamba.com
www.mamba.ru
mamba.ru
www.au.ru
au.ru
www.www.ru
www.ru
www.blogs.mail.ru
blogs.mail.ru
www.dating.ru
dating.ru
www.24open.ru
24open.ru
www.mirtesen.ru
mirtesen.ru
www.Dating.lt
Dating.lt
www.love.ngs.ru
love.ngs.ru
|
www.start.qip.ru
start.qip.ru
www.rutracker.org
rutracker.org
www.ReadMe.Ru
ReadMe.Ru
www.search.qip.ru
search.qip.ru
www.MyLivePage.Ru
MyLivePage.Ru
www.agent.mail.ru
agent.mail.ru
www.borda.ru
borda.ru
mail.qip.ru
ngs.ru
www.ngs.ru
bezpaleva.ru
www.bezpaleva.ru
www.Facebook.ru
Facebook.ru
Facebook.com
www.Facebook.com
skype.com
www.skype.com
skype.ru
www.skype.ru
webmoney.ru
www.webmoney.ru
webmoney.com
www.webmoney.com
torrents.ru
www.torrents.ru
forum.kaspersky.com
www.forum.kaspersky.com
otvet.mail.ru
www.otvet.mail.ru
cforum.ru
www.cforum.ru
mforum.ru
www.mforum.ru
search.otvet.mail.ru
www.search.otvet.mail.ru
bez-obid.ru
www.bez-obid.ru
antichat.ru
www.antichat.ru
forum.antichat.ru
mail.google.com
extremallife.ru
www.extremallife.ru
bing.com
www.bing.com
virusinfo.info
www.virusinfo.info
support.kaspersky.ru
www.support.kaspersky.ru
varezportal.ru
www.varezportal.ru
vorum.ru
www.vorum.ru
fafka.ru
www.fafka.ru
|
Trojan:MSIL/Toshruli.A includes 1048 blank lines at the beginning of c:\windows\system32\drivers\etc\hosts file to make it look as though there is nothing in the file to the casual observer.
Trojan:MSIL/Toshruli.A appends lines to the following files:
- % Application Data%\ Mozilla\Firefox\Profiles\<profile>.default\prefs.js
- %Application Data% refers to c:\Documents and Setting\<user>\Application Data\
where <user> refers to the logged in user, and <profile> refers to a variable assigned by Firefox.
Additional information
At the time of writing, the user is redirected to a site that displays the following message:
This is a fraudulent message that tells the user they have been sending spam. The message suggests the user should click on the URL provided, and enter their details in order to fix the issue.
Analysis by Michael Johnson
