Trojan:Win32/Duberath.A is a trojan that poses as a popular legitimate application such as a Adobe Update Manager. Once installed, it may connect to a remote server and download and install additional files onto the compromised computer, and accept commands from a remote attacker.
Installation
Trojan:Win32/Duberath.A creates a mutex and drops itself with a hidden attribute into the following path:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\adobeupdater.exe
The trojan creates the following registry modifications to ensure it executes at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Adobe Update Manager"
With data: "<Malware File>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Adobe Update Manager"
With data: "<Malware File>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,<Malware File>"
The trojan may download and install files to <system folder> with the following names:
- msconfig32.sys
- ntconf32.vxd
- ntsys32.vxd
- msimsg32.vxd
Note: The remote download sites were offline at the time of writing.
Trojan:Win32/Duberath.A adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by adding the following registry key:
In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<Malware File>"
With data: "<Malware File>:*:Enabled:Adobe Update Manager"
Payload
Allows backdoor access and control
This trojan opens a backdoor to the compromised computer by attempting to connect to the following remote servers using either TCP port 80 or 8585:
- adobe.ath.cx:80
- tyuqwer.dyndns.org:80
- google.homeunix.com:80
- google.homeunix.com:8585
- ymail.ath.cx:8585
- voanews.ath.cx:8585
- danchimviet.dnsalias.org:8585
Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker might be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Take a screen captures
Analysis by Gilou Tenebro
