Installation
We have seen this threat downloaded by TrojanDownloader:Win32/Kuluoz.
It can also imitate a legitimate file, such as an update, to try to to trick you into downloading and running it. For example, we have seen it use the following file names:
- diskfix.exe
- dwtray.exe
- errfix.exe
- fixtool.exe
- repfix.exe
- videodl.exe
The malware installs itself to the following locations where <InfectedGUID> is your PC's GUID:
It can also modify the following registry entries to make sure that malware runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<InfectedGUID>"
With data: "C:\Documents and settings\All Users\Application data\Microsoft\<InfectedGUID> \ <InfectedGUID>.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<InfectedGUID>"
With data: "C:\Documents and settings\All Users\Application Data\Microsoft\<InfectedGUID>\ <InfectedGUID>.exe"
The malware also adds the following registries to store its configuration information:
In subkey: HKCU\Software\<eight digit number> for example, 1DF89AC9
Sets value: "1"
With data: "C:\Documents and settings\All Users\Application data\Microsoft\<InfectedGUID> \< InfectedGUID>.exe”
In subkey: HKLM\Software\<eight digit number> for example, 1DF89AC9
Sets value: "1"
With data: "C:\Documents and settings\All Users\Application data\Microsoft\<InfectedGUID> \< InfectedGUID>.exe"
This threat will not run on your PC if it detects any of the following tools:
- JoeBox
- QEmuVirtualPC
- RFP
- Sandboxie
- SunbeltSandboxie
- ThreadExpert
- VirtualBox
- VirtualPC
- VMWare
- Wine
- WireShark
Payload
Lowers Internet Explorer security settings
The malware modifies the following registry entries to lower your Internet Explorer security settings.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1400"
With data: “0”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1400"
With data: “0”
Steals your personal information
We have seen this threat send information about your PC to a remote hacker, including details about your PC:
- Operating system
- GUID
- Date and time zone
- Language
- Antivirus software
The malware can also steal your personal information, such as passwords stored in cookies.
We have seen it send this stolen information to the following C&C servers:
- a13-cadet.org/
- a13-shop.biz/
- g-nookle.net/
- seventh-glow.info/
Uses your PC for click fraud
We have seen this threat silently visit websites without your consent to perform click fraud by clicking on advertisements; it does this by running several instances of Internet Explorer in the background.
Analysis by Duc Nguyen
