Threat behavior
Trojan:Win32/ServStart.A is a trojan that allows limited remote access and control and that connects to a remote server to report its installation on an affected computer.
Installation
Trojan:Win32/ServStart.A may be downloaded and executed by other malware. When run, this trojan copies itself to the Windows system folder and creates a service to run the dropped trojan copy at each Windows start.
One observed example of the installed trojan is "%systemroot%\system32\lyxrym.exe" with a corresponding service name of "svhost".
Payload
Downloads arbitrary files
This trojan attempts to download and run executables from a predefined remote server address such as "monn1.3322.org" or variations of the "3322.org" domain. Files retrieved are saved to the local drive before being run, such as "c:\window.exe". The downloaded file was observed to be detected as Trojan:Win32/ServStart.A.
Sends data to a remote server
Trojan:Win32/ServStart.A attempts to connect to a remote server to report its installation and other information about the infected machine, such as OS version, computer name, CPU speed and Memory size etc. One observed notification server is 616230.8866.org.
Retrieves instructions
While connected to a remote server, the trojan also retrieves commands to execute. Trojan:Win32/ServStart.A may perform the following actions depending on the commands retrieved:
- Download and upload files to and from remote server
- Open a specific URL with Internet Explorer (iexplore.exe)
- Execute files
- Update or uninstall itself
Analysis by Shawn Wang
Prevention
