Threat behavior
TrojanDownloader:Win32/Homeiz.A is a trojan that may lower system security, and download and execute arbitrary files.
Installation
This trojan does not copy itself or run at Windows start, but facilitates downloading and installing another trojan identified as
Backdoor:Win32/Jaan.A. When this trojan is executed, it may modify the registry in order to disallow unsafe functions from running in Microsoft Access, resulting in the lowering of system security.
Modifies value: SandBoxMode
With data: "1"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\
Payload
Downloads and Executes Arbitrary Files
This trojan may execute shell code that creates and executes a batch script. The dropped batch script attempts to download executables from the FTP site 'forus.3322.org', such as the following:
- homeiz.exe - identified as TrojanDownloader:Win32/Agent
- me.exe - identified as Backdoor:Win32/Jaan.A
Both files are executed, which could result in the downloading and execution of additional malware from following sites:
- 129.6.15.28 (using port 37)
- mydos.8800.org (using port 9800)
The retrieved files may be saved as the following, and then executed:
<current folder>\NewTM\<random name>.exe
Additional Information
The value "SandBoxMode" instructs MS Jet to allow or disallow certain functions considered unsafe such as file deletion or format of local drives. By setting the value to 1, MS Jet would allow unsafe (or safe) functions to execute in MS Access.
Analysis by Hong Jia
Prevention
