Trojan:Win32/Elvdeng.E is a DLL component of Trojan:Win32/Elvdeng - a multiple component family that uses several different methods to attempt to change the start page for a number of different popular Internet browsers. It may also open other browser windows, and create Internet shortcuts on the desktop.
Installation
Win32/Elvdeng’s installer writes the following files to the %ProgramFiles\lvegned folder:
Win32/Elvdeng’s installer writes the following files to the %ProgramFiles%\lvegned folder:
The installer ensures that when a file with a .ghi extension is launched, sysinit.exe will be run instead by creating the following registry entry:
In subkey: HKLM\SOFTWARE\Classes\.ghi\shell\open\command
Sets value: (default)
With data: "%program_files%\lvegned\sysinit.exe"
It then launches sstatic.exe and scvhost.exe.
When sstatic.exe is run, it copies an Internet Explorer component to %ProgramFiles%\iedw.ghi. It creates a shortcut to this file at %ProgramFiles%\iedw.lnk. If the user has a Chinese version of Windows, it will move the file to C:\Documents and Settings\All Users\「开始」菜单\程序\启动\iedw.lnk (which is the Chinese equivalent of %common_startup%\iedw.lnk, and should ensure that this file is launched each time Windows starts on these systems).
If the aforementioned registry entry is present, sysinit.exe will run each time Windows starts.
When sysinit.exe is run, it injects hook.dll into the process of explorer.exe. For more details, see the Payload section below.
Payload
Modifies browser settings
When hook.dll is injected into the explorer.exe process by sysinit.exe, it hooks the RtlCreateProcessParameters API in order to monitor, and possibly alter, the command line of newly created processes. If the new process is one of the Internet browsers listed in config.ini, it will check whether the command line parameters contain the string “taobao”. If not, it will replace the command line parameter with a URL specified in the config.ini file. One example observed at the time of publication used start page 2677cn.info, and the following list of browsers:
- iexplore
- 360se
- Firefox
- SogouExplorer
- Opera
- TTraveler
- Maxthon
- TheWorld
- Chrome
This ensures that when these browsers are launched, they will display a page from the URL specified by the malware, instead of any other URL that may have otherwise been requested at launch. If the browser is launched from the desktop Internet shortcut described below, or with any other URL containing the string “taobao”, the page displayed will be unchanged.
Other components of Win32/Elvdeng, such as Trojan:Win32/Elvdeng.C and Trojan:Win32/Elvdeng.D, may use additional methods to change the page displayed on browser startup. See the Trojan:Win32/Elvdeng family description for more details.
Opens browser windows
During installation, the malware may open an Internet Explorer window to a site such as xiazai189.com.
Other components of Win32/Elvdeng may open additional browser windows. See the Trojan:Win32/Elvdeng family description for more details.
Creates desktop shortcut
When sysinit.exe is run, it creates an Internet shortcut on the desktop by placing a file named 淘宝-特卖.url [translates to “taobao special.url”] in the %common_desktop% directory. This file uses the taobao.ico file installed earlier as its icon. At the time of publication, the shortcut linked to a page with a file name of taobao.html located in the server xihao.net.
Analysis by David Wood
