Trojan:Win32/Conhook.N is a trojan that installs itself as a BHO (Browser Helper Object). It attempts to lower Internet Explorer security settings and monitor user activities. It may also download and install rogue antivirus products on the system.
Installation
Trojan:Win32/Conhook.N usually arrives in the system as a dropped file of other malware. It arrives in the system with a random file name.
It modifies the system registry so that it automatically runs every time Windows starts up:
Adds value: <random string>
With data: "rundll32 <DLL file name> run"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It also creates the mutex RTMXN653427485934.
It may create one or more of the following registry keys:
HKLM\Software\Microsoft\MS Juan
HKLM\Software\Microsoft\MS Track System
HKLM\Software\Microsoft\Juan
HKLM\SOFTWARE\Microsoft\Con
HKLM\SOFTWARE\Microsoft\jkwslist
HKLM\SOFTWARE\Microsoft\jsearchcount
HKLM\\Software\Microsoft\jn_tr_<8 random numbers>
It attempts to register itself as a BHO (Browser Helper Object) by creating one of the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object\<value> , where <value> is one of the following:
{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
{849B9523-785F-4014-9CAF-079FB4A74C61}
{1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA}
{F18F04B0-9CF1-4b93-B004-77A288BEE28B}
{0676CC61-CDC5-447e-AAFC-9D886EC820EB}
{7797F524-B819-42d0-B35A-0DACAF93E977}
{013A653B-49A6-4f76-8B68-E4875EA6BA54}
{14FD9304-A270-4d8c-B696-6B7DA0C1DF56}
{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
{3FD6B99C-A275-46ea-8FD1-3D63986E51E4}
{7DA39570-5FD2-4f18-94B4-20730CB3F727}
{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}
{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}
{337C54C9-80C1-4de2-93CD-AAA510834074}
{D38439EC-4A7F-42b4-90C2-D810D7778FDD}
{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}
{1557B435-8242-4686-9AA3-9265BF7525A4}
{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}
{55DB983C-BDBF-426f-86F0-187B02DDA39B}
{A24B57F8-505D-4fc5-9960-740E304D1ABA}
{4B646AFB-9341-4330-8FD1-C32485AEE619}
{CD3447D4-CA39-4377-8084-30E86331D74C}
{DEBEB52F-CFA6-4647-971F-3EDB75B63AFA}
{8F2183B9-F4DB-4913-8F82-6F9CC42E4CF8}
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
{E12BFF69-38A7-406e-A8EF-2738107A7831}
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
{1126271C-A8C3-438c-B951-7C94B453B16B}
{938A8A03-A938-4019-B764-03FF8D167D79}
{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}
{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}
{C24751C6-3976-419a-A776-915669E28A4D}
{47B83D78-F986-4E96-9769-2C55EF14DA0B}
{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}
{32A5ED57-EA40-4869-8675-28EA463E6B23}
{89AD4D75-2429-462e-BD4E-443F233F6033}
{F9546B58-83B5-44bb-93CF-945253E58025}
{F864AD64-8376-447d-B5F4-EA4965E3E0EA}
{BE3E60A0-8087-4ad2-9386-500966D663B4}
Payload
Modifies Internet Settings
Trojan:Win32/Conhook.N may attempt to lower security settings by accessing the Internet Security Options API and loweing the Security level for the Internet zone.
Monitors User Activities
Trojan:Win32/Conhook.N may monitor user browsing behavior, for example by logging search keywords entered by the user in various search engines.
Downloads Arbitrary Files
Trojan:Win32/Conhook.N may display a pop-up window that attempts to connect to the address 85.12.43.69. This connection may then be redirected to websites that download and install rogue security programs.
It may also attempt to establish a connection with the following websites:
- 24.244.171.110
- 89.188.16.10
- 89.188.16.16
- 65.243.103.60
- 65.243.103.62
- 65.243.103.56
Analysis by Andrei Florin Saygo
