Trojan:Win32/Pasich.A is the detection for the DLL file component of a multi-component trojan downloader. Its main function is to download and execute arbitrary files.
Installation
Trojan:Win32/Pasich.A checks if it has been loaded by any of the following processes, in which case it exits:
-
combofix.exe
-
otscanit.exe
-
mbam-setup.exe
-
winlogon.exe
-
lsass.exe
-
services.exe
-
spoolsv.exe
-
inetinfo.exe
-
alg.exe
-
wuauclt.exe
-
explorer.exe
-
ctfmon.exe
Trojan:Win32/Pasich.A may do this to avoid detection or to ensure that it is loaded by a specific process.
This trojan creates a mutex named "TdlStartMutex". It then begins a new thread, which checks for Internet connection by attempting to contact www.microsoft.com.
Payload
Modifies System Settings
Trojan:Win32/Pasich.A may attempt to modify the following registry value related to the Internet security zone:
Changes value: "1400"
With data: "0"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
It then makes several modifications to the system registry:
Adds values: "affid", "subid", "control", "prov", "googleadserver", and "flagged"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
It also checks if it has been loaded by the following processes:
- iexplore.exe
- myie2.exe
- maxthon.exe
If not, it tries to hook some functions so OCX files are automatically installed and loaded without the user being prompted. These types of files are commonly loaded when viewing web pages, and can be used to run arbitrary code on the system.
Downloads and Executes Arbitrary Files
Trojan:Win32/Pasich.A contacts the following remote sites and attempts to download files, possibly including new components of itself:
- update.microsofttransfer.com
- ncompalusa.com
- 72.232.212.29
- 58.65.234.194
Trojan:Win32/Pasich.A may download remote configuration data that may be used to modify browser behavior, including user search requests. This data may be saved to <system folder>\clbinit.dll
Analysis by Patrik Vicol
