Trojan:Win32/Elvdeng.D is a component of Trojan:Win32/Elvdeng - a multiple component family that uses several different methods to attempt to change the start page for a number of popular Internet browsers. It may also open other browser windows, and create Internet shortcuts on the desktop.
Installation
Win32/Elvdeng’s installer writes the following files to the %ProgramFiles%\lvegned folder:
The installer ensures that when a file with a .ghi extension is launched, sysinit.exe will be run instead by creating the following registry entry:
In subkey: HKLM\SOFTWARE\Classes\.ghi\shell\open\command
Sets value: (default)
With data: "%program_files%\lvegned\sysinit.exe"
It then launches sstatic.exe and scvhost.exe.
When sstatic.exe is run, it copies an Internet Explorer component to %ProgramFiles%\iedw.ghi. It creates a shortcut to this file at %ProgramFiles%\iedw.lnk. If the user has a Chinese version of Windows, it will move the file to C:\Documents and Settings\All Users\「开始」菜单\程序\启动\iedw.lnk (which is the Chinese equivalent of %common_startup%\iedw.lnk, and should ensure that this file is launched each time Windows starts on these systems).
If the aforementioned registry entry is present, sysinit.exe will run each time Windows starts.
When sysinit.exe is run, it injects hook.dll into the process of explorer.exe. For more details, see the Payload section below.
Payload
Modifies browser settings
Sysinit.exe changes the Internet Explorer start page to a value specified in config.ini, by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: <URL>
One example observed at the time of publication changed the start page to 2677cn.info.
Scvhost.exe checks the config.ini file for a list of commonly used Internet browsers. It then monitors running processes to determine whenever a new process is launched for one of these browsers. When this occurs, it will terminate this new browser process and launch another browser process, displaying a page specified by config.ini. One config.ini file observed at the time of this publication displayed a page from ucgm8.info, and used the following list of browsers:
- iexplore
- 360se
- Firefox
- SogouExplorer
- Opera
- TTraveler
- Maxthon
- TheWorld
- Chrome
When hook.dll is injected into the explorer.exe process by sysinit.exe, it hooks the RtlCreateProcessParameters API in order to monitor, and possibly alter, the command line of newly created processes. If the new process is one of the Internet browsers listed above, it will check whether the command line parameters contain the string “taobao”. If not, it will replace the command line parameter with a URL specified in the config.ini file. This URL is the same as that used for the start page registry entry above (for example, 677cn.info).
This ensures that when these browsers are launched, they will display a page from the URL specified by the malware, instead of any other URL that may have otherwise been requested at launch. If the browser is launched from the desktop Internet shortcut described in the 'Creates desktop shortcut' section below, or with any other URL containing the string “taobao”, the page displayed will be unchanged.
Other components of Win32/Elvdeng, such as Trojan:Win32/Elvdeng.C, may use additional methods to change the page displayed on browser startup. See the Trojan:Win32/Elvdeng family description for more details.
Opens browser windows
During installation, the malware may open an Internet Explorer window to a site such as xiazai189.com.
Other components of Win32/Elvdeng may open additional browser windows. See the Trojan:Win32/Elvdeng family description for more details.
Creates desktop shortcut
When sysinit.exe is run, it creates an Internet shortcut on the desktop by placing a file named 淘宝-特卖.url [translates to “taobao special.url”] in the %common_desktop% directory. This file uses the taobao.ico file installed earlier as its icon. At the time of publication, the shortcut linked to a page with a file name of taobao.html located in the server xihao.net. The icon it use is similar to the following:
This appears to be an attempt to masquerade as a link to the Chinese online shopping and auction site taobao.com.
Analysis by David Wood
