TrojanDownloader:Win32/Fomish is a Trojan that downloads files related to Adware:Win32/NCast. The Trojan uses rootkit methods to protect registry settings used to load the Trojan's components.
Installation
When run, TrojanDownloader:Win32/Fomish drops two components; one that downloads programs, and one that blocks attempts to delete registry values used to load the Trojan at Windows startup:
- <system folder>\cryptimg.dll - detected as TrojanDownloader:Win32/Fomish.gen
- <system folder>\drivers\voodoo.sys - detected as Trojan:Win32/Rootkit.N
The dropper then registers Win32/Fomish to run at Windows logon, and Win32/Rootkit.N to run as a service, even in 'Safe Mode'.
Adds key: cryptimg
Within subkey:
HKEY_LOCAL_MACHINE\SOFWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
Adds key: voodoo
Within subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
It adds the following keys with values, to load TrojanDownloader:Win32/Fomish.gen at Windows logon:
Asynchronous = 1
DllName = cryptimg.dll
Impersonate = 0
StartShell = CryptImgShellNotify
Within subkey:
HKEY_LOCAL_MACHINE\SOFWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptimg
It adds the following values and data to subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\voodoo to create a service named 'voodoo':
DisplayName = voodoo
ErrorControl = 1
Group = File System
ImagePath = C:\WINDOWS\system32\drivers\voodoo.sys
Start = 2
Type = 1
It adds the following value with data: "(default)" = "driver" to the following subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\voodoo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\voodoo
Payload
Downloads and Executes Arbitrary Files
This Trojan connects with the domain Yyl.mofish.cn and downloads files associated with known adware. The user's unique MAC address is also reported.
