Threat behavior
TrojanDownloader:Win32/Stell.A is a trojan that disables Windows firewall, blocks access to specific security websites and downloads arbitrary files from a predefined remote server.
Installation
This trojan may be installed by other malware. In some instances, the trojan has been bundled with other malware as a file named "keymaker.exe". When run, it copies itself as a randomly named file such as:
- %USERPROFILE%\Start Menu\Programs\Startup\768cd.exe.exe
Payload
Disables Windows firewall
TrojanDownloader:Win32/Stell.A attempts to disable Windows firewall to allow communication with external websites.
Blocks access of security websites
This trojan modifies the local hosts file to block access of the following websites:
- scanner.novirusthanks.org
- virusscan.jotti.org
- virscan.com
- www.virscan.com
- virustotal.com
- www.virustotal.com
Downloads arbitrary files
TrojanDownloader:Win32/Stell.A downloads arbitrary files from the following websites
- 91.121.151.137
- 78.159.105.143
Files are downloaded and saved locally as the following:
- %windir%\<random 5 digits>.exe
- %windir%\update1i.exe
- %windir%\system\sdtr.sys
Analysis by Marian Radu
Prevention
