TrojanDownloader:Win32/Conhook.AF is a trojan that injects its code into running processes, terminates specific security services and downloads and executes arbitrary files (which may include additional malware).
Installation
Upon execution, Conhook.AF creates the mutexes "vmc_mm” and “vmc_pm". The trojan copies itself to the Windows system folder using the following file name format:
__c00<random 5 character>.dat
Below are examples of file names used by this trojan:
<system folder>\__c003004F.dat
<system folder>\__c008422e.dat
The registry is modified to load the dropped trojan copy by modifying the following registry entries:
Adds value: AppInit_DLLs
With data: "<system folder>\<malware name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
where <malware name> is the dropped copy of this trojan. The following subkey is created:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
where <malware name> is the filename of the dropped trojan copy without extension, for example:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\__c003004F
The following values and data are created so that the dropped trojan copy is installed as a Winlogon notification package:
Adds value: Asynchronous
With data: "0x00000001"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: DllName
With data: "<system folder>\<malware name>"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: Impersonate
With data: "0x00000000"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: Startup
With data: "B"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: Logon
With data: "B"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Payload
Terminates Services
TrojanDownloader:Win32/Conhook.AF injects its code into running processes like 'Explorer.exe' and 'Winlogon.exe'. It may terminate specific security services.
Downloads Arbitrary Files
TrojanDownloader:Win32/Conhook.AF attempts to download files from a predefined Web server. At the time of this writing, the site was unavailable.
Additional Information
For more information, please see the
Win32/Conhook family description elsewhere in our encyclopedia.
Analysis by Wei Li
