Trojan:Win32/Conhook.B installs itself as a Browser Helper Object (BHOs), and connects to the Internet without user consent. This Trojan may also terminate specific security services, and download additional malware to the computer.
Installation
Trojan:Win32/Conhook.B is installed by another executable. The installer program creates a dynamic link library (DLL) with a randomly generated file name in the Windows system folder, and also modifies the registry to load the DLL whenever a Web browser application is launched.
The Trojan installer may create the following registry keys (for example):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dstr5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rasap2K
Trojan:Win32/Conhook.B may make further modifications to the registry, as illustrated in the examples below (where specific Class IDs, keys, values and data/file names will differ among variants and specific instances).
Creates one of these keys within the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID:
{40910BCF-0B02-417e-8C81-BC2124376133}\InprocServer32\
{64A31598-EEEC-4f1d-8D04-DACC1E2D5407}\InprocServer32\
{A5A925F3-6B88-4138-8092-16D95CD50D91}\InprocServer32\
{B8FD9F6C-AA0E-4fc3-A239-1C9A0CD80D47}\InprocServer32\
{DD13730A-FBA1-4f91-AB25-7FEB0563D33B}\InprocServer32\
With value: InprocServer32\<value> = "<system folder>\<random file name>.dll"
Creates one of these keys within the subkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects:
{40910BCF-0B02-417e-8C81-BC2124376133}
{64A31598-EEEC-4f1d-8D04-DACC1E2D5407}
{A5A925F3-6B88-4138-8092-16D95CD50D91}
{B8FD9F6C-AA0E-4fc3-A239-1C9A0CD80D47}
{DD13730A-FBA1-4f91-AB25-7FEB0563D33B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Notify\
DllName = "<system folder>\<random file name>.dll"
These changes may be made to register the DLL as a BHO, and to register the DLL as a Winlogon notification package.
The Trojan may also make another change where the DLL is loaded by each running process. All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs = "<system folder>\<random file name>.dll"
Payload
Downloads and Executes Arbitrary Files
This Trojan injects its code into winlogon.exe and explorer.exe running processes, and creates remote threads in each. Trojan:Win32/Conhook then listens for connections on UDP port 3012.
Trojan:Win32/Conhook may connect to a remote Web site with IP address 83.149.105.223, using TCP port 80. This Trojan may attempt to download additional malware onto the infected computer.
Trojan:Win32/Conhook.B may terminate the process "GCASSERVALERT.EXE" - this process is related to the application by the same name, located in the folder %ProgramFiles%\Microsoft Antispyware\.
