Threat behavior
TrojanDropper:Win32/Ciadoor.C is the detection for malware that drops and installs other malware. It may install the additional malware as a BHO (Browser Helper Objects) that loads with Internet Explorer.
Installation
TrojanDropper:Win32/Ciadoor.C copies itself in the Windows system folder as an INI file with a random file name.
It adds the following registry entry as part of its installation routine:
Adds value: "set"
With data: "l83i789orx.ini"
To subkey: HKCU\Software\VB and VBA Program Settings\set\set
TrojanDropper:Win32/Ciadoor.C also has a routine to delete its currently-running copy once it has performed its malware functions.
Payload
Drops other malware
TrojanDropper:Win32/Ciadoor.C drops a file as the following:
<system folder>\wsock32.sys
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
TrojanDropper:Win32/Ciadoor.C installs Backdoor:Win32/Ciadoor.121 as a BHO by creating the following registry keys and entries:
Adds subkeys:
HKLM\SOFTWARE\Classes\N.Cs4
HKLM\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}
HKLM\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}
HKLM\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}
Analysis by Shawn Wang
Prevention
