Threat behavior
Trojan:Win32/Disabler is Microsoft's detection for a trojan that disables the Windows Firewall/Internet Connection Sharing (ICS) service. It attempts to modify system settings to make its removal difficult.
Installation
Upon execution, Trojan:Win32/Disabler drops copies of itself as the following:
- <startup folder>\systemid.pif
- <system folder>\flashy.exe
Notes:
<system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
<startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It then modifies the system registry to allow its dropped copy to automatically run every time Windows starts:
Adds value: "Flashy Bot"
With data: "<system folder>\flashy.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Modifies System Settings
Trojan:Win32/Disabler modifies the system registry to make its removal difficult. It changes the following settings:
Disables folder options of file explorer (for example so a user cannot change the options to view hidden files and folders):
Adds value: "NofolderOptions"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Ensures that a user can't view and stop processes using a task manager:
Adds value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Prevents the user from running the Registry Editor:
Adds value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Prevents the user from viewing file extensions:
Adds value: "HideFileExt"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Prevents the user from viewing files with the "hidden" attribute:
Adds value: "Hidden"
With data: "2"
Top subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Disables the Windows Firewall/Internet Connection Sharing (ICS) service, preventing the system from connecting to a network:
Adds value: "Start"
With data: "4
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Analysis by Jireh Sanico
Prevention
