Threat behavior
Trojan:Win32/Dogrobot.A is a trojan that installs a trojan downloader, terminates security-related services and processes and may spread to other computers across a network by exploiting a vulnerability mitigated by
Microsoft Security Bulletin MS08-067.
Installation
Trojan:Win32/Dogrobot.A may be installed by other malware such as
Backdoor:Win32/Farfli.I. This trojan may be present as a DLL component in the Windows folder having names such as the following:
%windir%\jiocs.dll
%windir%\winsp.dll
Spreads Via…
Networked computers
This trojan may attempt to spread to other computers across a network by exploiting a vulnerability mitigated by
Microsoft Security Bulletin MS08-067. The malware attempts to send exploit code that attacks the Windows Server service on discovered vulnerable computers. If the malware can successfully exploit the target computer, it could execute remote code that installs a copy of the malware.
Payload
Installs TrojanDownloader:Win32/Perkesh.gen!A
When Trojan:Win32/Dogrobot.A is run, it drops malware as the following:
%windir%\System32\windowsjiocs.dll - Trojan:Win32/Dogrobot.A
The dropped component "windowsjiocs.dll" is then executed using the Windows utility "rundll32.exe". The component "migsni.sys" is installed as a service and may be present as the name "Kisstusb".
Terminates processes
Trojan:Win32/Dogrobot.A attempts to kill the following security related processed if they are running:
kavstart.exe
kissvc.exe
kmailmon.exe
kpfw32.exe
kpfwsvc.exe
kwatch.exe
ccenter.exe
ras.exe
rstray.exe
rsagent.exe
ravtask.exe
ravstub.exe
ravmon.exe
ravmond.exe
avp.exe
360safebox.exe
360Safe.exe
Thunder5.exe
Downloads other malware
This trojan may attempt to download files or a list of linked files from the website "mck.o0oq.cn".
Analysis by Hong Jia
Prevention