TrojanDownloader:Win32/Nonaco.H is a generic detection for variants of a trojan downloader that is installed as a Web Browser Helper Object (BHO) and may change stored settings for the Web browser Internet Explorer.
Installation
TrojanDownloader:Win32/Nonaco.H is installed by a trojan dropper or installer. When the Win32/Nonaco.H dropper or installer is run, it drops randomly named files as in the following example file sets:
<system folder>\905757\905757.dll
c:\905757.bat
<system folder>\788877\788877.dll
c:\3dfgg3423.bat
<system folder>\931928\931928.dll
c:\3dfgg3423.bat
The dropper or installer drops a registry import file as "c:\tmp.reg". Next, the dropped library is registered to run as a BHO using REGSRV32.EXE in a command shell resulting in the creation of numerous registry values, including the following examples:
Adds value: "(default)"
With data: "931928 class"
To subkey: HKLM\SOFTWARE\Classes\e405.e405mgr.1
Adds value: "(default)"
With data: "{5f6d7a37-a3d1-47f1-920d-3f48370d509b}"
To subkey: HKLM\SOFTWARE\Classes\e405.e405mgr.1\CLSID
Adds value: "(default)"
With data: "931928 class"
To subkey: HKLM\SOFTWARE\Classes\e405.e405mgr
Adds value: "(default)"
With data: "{5f6d7a37-a3d1-47f1-920d-3f48370d509b}"
To subkey: HKLM\SOFTWARE\Classes\e405.e405mgr\CLSID
Adds value: "(default)"
With data: "e405.e405mgr.1"
To subkey: HKLM\SOFTWARE\Classes\e405.e405mgr\CurVer
Adds value: "(default)"
With data: "931928 class"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5F6D7A37-A3D1-47F1-920D-3F48370D509B}
Adds value: "(default)"
With data: "e405.e405mgr.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5F6D7A37-A3D1-47F1-920D-3F48370D509B}\ProgID
Adds value: "(default)"
With data: "e405.e405mgr"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5F6D7A37-A3D1-47F1-920D-3F48370D509B}\VersionIndependentProgID
Adds value: "(default)"
With data: "<system folder>\931928\931928.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5F6D7A37-A3D1-47F1-920D-3F48370D509B}\InprocServer32
Adds value: "(default)"
With data: "{e63648f7-3933-440e-aaaa-a8584dd7b7eb}"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5F6D7A37-A3D1-47F1-920D-3F48370D509B}\TypeLib
Adds value: "(default)"
With data: "931928 helper"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F6D7A37-A3D1-47F1-920D-3F48370D509B}
Adds value: "(default)"
With data: "931928 1.0 type library"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
Adds value: "(default)"
With data: "<system folder>\931928\931928.dll"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
Adds value: "(default)"
With data: "<system folder>\931928\"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
Adds value: "(default)"
With data: "ie405mgr"
To subkey: HKLM\SOFTWARE\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
Adds value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
Adds value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
Adds value: "(default)"
With data: "{e63648f7-3933-440e-b4f6-a8584dd7b7eb}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
Payload
Downloads Files
Win32/Nonaco.H attempts to communicate with the remote web site "urbosearchsite.com" and downloads additional binaries from this site. In addition, Win32/Nonaco.H may post information including the program version number to this web site.
Modifies Web Browser Settings
This trojan may use the Windows utility REGEDIT to import a dropped registry script data file "c:\tmp.reg". The result is a modification of numerous settings for the Internet Web browser Internet Explorer.
Modifies value: "Search Page"
With data: "http://internetsearchservice.com"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "Search Page"
With data: "http://internetsearchservice.com"
To subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Modifies value: "Search Bar"
With data: "http://internetsearchservice.com/ie6.html"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "Search Bar"
With data: "http://internetsearchservice.com/ie6.html"
To subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Modifies value: "SearchURL"
With data: "http://internetsearchservice.com"
To subkey: HKCU\Software\Microsoft\Internet Explorer
Modifies value: "SearchURL"
With data: "http://internetsearchservice.com"
To subkey: HKLM\Software\Microsoft\Internet Explorer
Modifies value: "SearchAssistant"
With data: "http://internetsearchservice.com"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Search
Modifies value: "SearchAssistant"
With data: "http://internetsearchservice.com"
To subkey: HKLM\Software\Microsoft\Internet Explorer\Search
Modifies value: "(default)"
With data: "http://internetsearchservice.com/search?q=%s"
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchUrl\w
Modifies value: "(default)"
With data: "http://internetsearchservice.com/search?q=%s"
To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w
Modifies value: "SearchMigratedDefaultURL"
With data: "http://internetsearchservice.com/search?q={searchterms}"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "SearchMigratedDefaultURL"
With data: "http://internetsearchservice.com/search?q={searchterms}"
To subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Modifies value: "SearchMigratedDefaultName"
With data: "search"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "SearchMigratedDefaultName"
With data: "search"
To subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Modifies value: "Default_Search_URL"
With data: "http://internetsearchservice.com"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "Default_Search_URL"
With data: "http://internetsearchservice.com"
To subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Analysis by Patrick Nolan
