Trojan:Win32/Ilomo.gen!A is a trojan that may arrive in a system by being dropped by another malware. It injects code into an Internet Explorer process and connects to various Web sites, possibly to download other malware components.
Installation
Upon execution,
TrojanDropper:Win32/Ilomo drops Trojan:Win32/Ilomo.gen!A into the user's Application Data folder using one of the following file names:
dumpreport.exe
msiexeca.exe
svchosts.exe
upnpsvc.exe
service.exe
taskmon.exe
rundll.exe
helper.exe
event.exe
logon.exe
sound.exe
lsas.exe
Note that these file names are similar to the file names used by legitimate system processes (such as "lsass.exe", "svchost.exe", and "services.exe").
The dropper also modifies the system registry so that Win32/Ilomo.gen!A automatically runs every time Windows starts:
Adds value: "<value>"
With data: "%AppData%\<malware name>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
where <malware name> is one of the above possible file names and <value> is one of the following:
CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init
Trojan configuration data is stored in the following registry subkey:
HKCU\Software\Microsoft\Internet Explorer\Settings
Numerous registry values are created under this subkey including the following:
GID
GatesList
KeyE
KeyM
M00
M01
M02
M03
..
M0F
..
MFF
PID
The trojan will launch the Web browser Internet Explorer using strings as command line parameters. Then the trojan locates the strings in memory and executes payload routines using the "iexplore.exe" process memory space.
Payload
Downloads malicious components
Trojan:Win32/Ilomo.gen!A launches "iexplore.exe" and injects code into this process. The trojan then uses data stored in the registry value "GatesList" in the following registry subkey as a list of remote Web sites to visit and download additional encrypted malware components:
HKCU\Software\Microsoft\Internet Explorer\Settings
In the wild, this trojan was observed connecting to the following remote Web sites:
-
webmail.re-factoring.cn
-
secure.loderunner.in
-
pop3.re-factoring.cn
The downloaded malware components are not stored on disk, but in the created registry values "M00" through "MFF" in the registry subkey "HKCU\Software\Microsoft\Internet Explorer\Settings". Some of the malware components downloaded include the following:
- proxy server
- password stealer
- Web traffic sniffer
- network spreading mechanism
The Web traffic sniffer component may capture HTTP POST data and may inject imitation logon pages in order to capture user logon credentials.
Spreads to other computers across a network
If the network spreading component is downloaded and executed, it could execute an embedded copy of "PSEXEC.exe" to remotely execute a copy of the trojan dropper on each machine found on a network.
Analysis by Andrei Florin Saygo & Aaron Putnam
