This trojan may be dropped by other malware or downloaded unknowingly by a user when visiting malicious Web sites.This trojan is a malware downloader that will download a text file that contain malicious urls which can be used by this trojan to download and execute other malware.

Upon execution

 This trojan donwload a text file from : http://www.oiuyt.net/ko.txt , and the content of the said text file that contain malicious urls like following:

[file] 
open=y
url1=
url2=http://61.160.210.45/new/new2.exe
url3=http://61.160.210.45/new/new3.exe
url4=http://61.160.210.45/new/new4.exe
url5=http://61.160.210.45/new/new5.exe
url6=http://61.160.210.46/new/new6.exe
url7=http://61.160.210.46/new/new7.exe
url8=http://61.160.210.46/new/new8.exe
url9=http://61.160.210.46/new/new9.exe
url10=http://61.160.210.46/new/new10.exe
url11=http://61.160.210.43/new/new11.exe
url12=http://61.160.210.43/new/new12.exe
url13=http://61.160.210.43/new/new13.exe
url14=http://61.160.210.43/new/new14.exe
url15=http://61.160.210.43/new/new15.exe
url16=http://61.160.210.43/new/new16.exe
url17=http://61.160.210.43/new/new17.exe
url18=http://61.160.210.44/new/new18.exe
url19=http://61.160.210.44/new/new19.exe
url20=http://61.160.210.44/new/new20.exe
url21=http://61.160.210.42/new/new21.exe
url22=http://61.160.210.42/new/new22.exe
url23=http://61.160.210.42/new/new23.exe
url24=http://61.160.210.42/new/new24.exe
url25=http://61.160.210.42/new/new25.exe
url26=http://61.160.210.42/new/new26.exe
url27=http://61.160.210.42/new/new27.exe
url28=http://61.160.210.42/new/new28.exe
url29=http://61.160.210.41/new/new29.exe
url30=http://61.160.210.41/new/new30.exe
url31=http://61.160.210.41/new/new31.exe
url32=http://61.160.210.41/new/new32.exe
url33=http://61.160.210.41/new/new33.exe
url34=
url35=http://61.160.210.41/new/new35.exe
url36=
count=36  

and this trojan also drops a DLL component that exports funtions can be use to make downloaded malware run.

• "%user_profile%\temp\%s%x.x" detected by anchiva as : Trojan/Runner.2015

This exploit is usually embedded in normal web page. It takes a vulnerability in Internet Explorer 6, which allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability." Successfully exploit may lead to system compromise.

• MS04-040
• CVE-2004-1050

Upon successfully exploit, it will download another malware and execute, this may further compromise the affected system:

• http://t{blocked}.com/inst/go.gif

At the time of writing, the said url has been taken down.

This worm is part of a family of backdoors that connect to IRC.

It drops a copy of itself and some bat files to delete itself, creates some registry entries to enable its automatic execution at every system startup, and drops some files to removable drives in order to infect the system when user double click the drive.

It opens random TCP ports to connect to an Internet Relay Chat (IRC) server and joins an IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected system to download other malicious file.

Upon execution, it checks if it is in %SystemRoot%\System32 directory currently. If not, it copys itself to %SystemRoot%\System32 with a file name xxxxxx.exe, which "xxxxxx" stands for 6 random characters. To hide xxxxxx.exe, it modifies the time of xxxxxx.exe and makes it the same as the time of explorer.exe, and set its attributes as HIDDEN, SYSTEM and READONLY.

It compares the current user name with the following strings in order to check if it is running in a sandbox:

sandbox
honey
vmware
currentuser
nepenthes
andy

It opens random TCP ports to connect to Internet Relay Chat (IRC) server and joins IRC channel.

sco.rs-forum.biz, rd.game-host.org
Join the channel: #liquid

it probably accepts the following commands from the remote malicious user:

r.getfile
dlnew
r.update
updat0r
ddos.syn
ddos.ack
ddos.random
ddos.supersyn
login
byefucker
visit
remove
download
update
msn.msg
msn.stop
aim.msg
aim.stop
triton.msg
triton.stop
pstore
pstore.search
threads
logout
wonk.ack
wonk.syn

It also checks if runing the following  windows class related IM applications:

_Oscar_StatusNotify
_Oscar_IconBtn
Ate32Class
CBClass
WndAte32Class
AIM_IMessage

It also uses the following table to crack the windows account:

user name:

oracle
database
default
guest
wwwadmin
teacher
student
owner
computer
staff
admin
admins
administrat
administrateur
administrador
administrator

password:

intranet
winpass
blank
office
control
nokia
siemens
compaq
cisco
orainstall
sqlpassoainstall
db1234
databasepassword
databasepass
dbpassword
dbpass
access
domainpassword
domainpass
domain
hello
bitch
exchange
backup
technical
loginpass
login
katie
george
chris
brian
susan
peter
win2000
winnt
winxp
win2k
win98
windows
oeminstall
oemuser
homeuser
accounting
accounts
internet
outlook
qwerty
server
system
changeme
linux
1234567890
123456789
12345678
1234567
123456
12345
pass1234
passwd
password
password1

Once found these applications, this worm  may hijack them and probably sends some fake message to ask contact to view some malicious web sites.

Upon execution, it drops a driver to restore SSDT hooks that almost all antivirus sofwares used to anti virus and hijacks many security related tools, and tries to conncet to remote address.

Upon execution, it drops the following files:
%SystemRoot\System32\drivers\beep.sys  --  detected as Spyware/Lmir.D933 by Anchiva

It tries to terminate the following processes:
QQ.exe
QQDoctor.exe
QQDoctorMain.exe
ntvdm.exe

It also tries to terminate the following processes and set the values of

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution

Options\xxxxxx\Debugger] to "ntsd -d" in order to hijack these programs (where xxxxxx stands for

the following programs):

RavMonD.exe
Rav.exe
avp.com
avp.exe
RavMon.exe
AvastU3.exe
ScanU3.exe
AvU3Launcher.exe
runiep.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
SelfUpdate.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
zjb.exe
KPfwSvc.exe
QQDoctorMain.exe
RavTask.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
EGHOST.exe
QQDoctor.exe
RegClean.exe
FYFireWall.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
AntiU.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
PFW.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavStub.exe
Ras.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
irsetup.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
regedit.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
KvReport.kxp
QQSC.exe
ghost.exe
KRepair.com
SREngPS.EXE
XDelBox.exe
kpfw32.exe
kavstart.exe
kwatch.exe
kpfwsvc.exe
kmailmon.exe
kissvc.exe
appdllman.exe
~.exe
sos.exe
UFO.exe
TNT.Exe
niu.exe
XP.exe
Wsyscheck.exe
TxoMoU.Exe
AoYun.exe
regedit32.exe
auto.exe
AutoRun.exe
av.exe
zxsweep.exe
cross.exe
Discovery.exe
guangd.exe
kernelwind32.exe
logogo.exe
NAVSetup.exe
pagefile.exe
pagefile.pif
rfwProxy.exe
SDGames.exe
servet.exe
360safebox.exe

It tries to stop the Beep service, and drops a new driver to replace the beep.sys in system and

creates the following registry entries in order to start this driver:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RESSDT]
"Type"=dword:00000001 (SERVICE_KERNEL_DRIVER)
"Start"=dword:00000003 (SERVICE_DEMAND_START)
"ErrorControl"=dword:00000000 (SERVICE_ERROR_IGNORE)
"ImagePath"=\??\C:\WINDOWS\System32\drivers\beep.sys
"DisplayName"=RESSDT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RESSDT\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RESSDT\Enum]
"0"=Root\\LEGACY_RESSDT\\0000
"Count"=dword:00000001
"NextInstance"=dword:00000001

This driver calculates the addresses of NT services by reading the original data from

ntoskrnl.exe/ntkrnlpa.exe and restores them if they were modified. This will defeat the SSDT

hooks that almost all antivirus sofwares used to anti virus.

It disables the Windows Security Center, Windows Automatic Updates, Windows Help and Support,

Windows Error Reporting, Windows Firewall/Internet Connection Sharing (ICS), Write Protect for

disks, and Rising Antivirus by setting the value of the following registry entries:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSPPSYS]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
"DoReport"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
"ShowUI"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000004 (SERVICE_DISABLED)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StorageDevicePolicies]
"WriteProtect"=dword:00000000

It modifies the value of the following registry entries to hide files and turn on auto run of

disks:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\sh

owall]
"CheckedValue"=dword:00000001

[HKEY_USERS\S-1-5-21-725345543-1085031214-1801674531-1003

\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
"NoDriveTypeAutoRun"=dword:00000091

It also tries to conncet to some remote address.

    This malware arrives in the affected system as an attachment of some fake alert emails.
    Upon execution, it drops some malicious files ,steals user's sensitive information and sends to remote user.

Once executed, it drops the following files in the affected system:
%System%\gzipmod.dll  -  detected as Spyware/Goldun.FAEF by Anchiva
%System%\vbagz.sys -  detected as Rootkit/Goldun.9FF9 by Anchiva

It creates follow registry entry to enable its automatic run:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod]
  "DllName"=gzipmod.dll
  "Startup"=gzipmod
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  "MaxWait"=dword:00000001
  "adrn"=[B7698B33D438DB063]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz]
  "Type"=dword:00000001
  "Start"=dword:00000001
  "ErrorControl"=dword:00000000
  "ImagePath"=system32\vbagz.sys
  "DisplayName"=VBA PnP Driver

It also creates follow registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  "C:\WINDOWS\system32\rundll32.exe"=C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys]
  @="Driver
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
  @="Driver

It send user's sensitive information via follow URL:

• http://sergej-grienko.com/ie-bolt2/data.php?trackid=706172616D{blocked}

The trojan is a malicious software that is used to accelerate a kind of games,such as Virtua Tennis 3.

It has some functions as follows:

• F5 - Serving in MAX power
• F6 - Get mass scores
• F7 - Freeze time
• F8 - Infinite Stamina
• F9 - LV up to max instantly
• F11 - Time's up

The trojan is a malicious software that is used to accelerate a kind of games,such as Virtua Tennis 3.

It has some functions as follows:

• F5 - Serving in MAX power
• F6 - Get mass scores
• F7 - Freeze time
• F8 - Infinite Stamina
• F9 - LV up to max instantly
• F11 - Time's up

  This trojan may arrive in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
  Upon execution, It injects into system process,and connects to follow website.It may download other malware to execute. 

•   http://www1.rixosspa.info/

  However, as of this writing, the said URL is not available.
 
  It creates follow registry entry to set its privilege of accessing network: 

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "%system%\svchost.exe"=%system%\svchost.exe:*:Enabled:svchost

  This trojan may arrive in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
  Upon execution, It injects into system process,and connects to follow website.It may download other malware to execute. 

•   http://www1.rixosspa.info/

  However, as of this writing, the said URL is not available.
 
  It creates follow registry entry to set its privilege of accessing network: 

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "%system%\svchost.exe"=%system%\svchost.exe:*:Enabled:svchost

This trojan may arrive the affected system as downloaded by other malware or unsuspect user. It drops its components into the system directory and inject its dropped dll into every running process, namely explorer.exe, to steal the victims online game information. It may further compromise the affected system.

Upon execution, it drops its components into the system directory:

• %system%\9fd8db.sys - detected by RapidRx as Spyware/OnLineGames.6FF7
• %system%\E4814792.DLL - detected by RapidRx as Spyware/OnLineGames.1F53
• %system%\E4814792.cfg - trojan's config file

It creates the following registry entries to aim its injection routine and auto start after system restart:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}\InprocServer32]
  @=E4814792.dll
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}\InprocServer32]
  "ThreadingModel"=Apartment
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  "{E4814792-EFA3-4C20-93D0-8B130A59F9A8}"=""
• [HKEY_CLASSES_ROOT\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}\InprocServer32]
  @=E4814792.dll
• [HKEY_CLASSES_ROOT\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}\InprocServer32]
  "ThreadingModel"=Apartment
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db]
  "Type"=dword:00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db]
  "Start"=dword:00000003
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db]
  "ErrorControl"=dword:00000000
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db]
  "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,32,5c,39,66,64,38,64,62,2e,73,79,73,00,
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db]
  "DisplayName"=9fd8db
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db\Security]
  "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db\Enum]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db\Enum]
  "0"=Root\\LEGACY_9FD8DB\\0000
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db\Enum]
  "Count"=dword:00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9fd8db\Enum]
  "NextInstance"=dword:00000001

Then it injects the said DLL, E4814792.dll, into every running process, specifically explorer.exe, and stay background to steal the victims online game information.

  This Trojan arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
  Upon execution, It drops components to the system directory,injects dll compontent to every running process,and stays resident in backgound to steal the victim's infomation about online-games.

Once executed, it drops the following files in the affected system:

• %System%\19b5406.sys - Detected by Anchiva as Spyware/OnLineGames.6FF7
• %System%\F65BDEC7.dll - Detected by Anchiva as Spyware/OnLineGames.1F53
• %System%\F65BDEC7.cfg

It creates follow registry entry to enable its automatic run:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F65BDEC7-4BF3-4512-840F-68B166B6D7AC}\InprocServer32]
  (Default) = "F65BDEC7.dll"
  ThreadingModel = "Apartment"
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  {F65BDEC7-4BF3-4512-840F-68B166B6D7AC} = ""
• It also creates follow registry entries:
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_19B5406\0000\Control]
  *NewlyCreated* = 0x00000000
  ActiveService = "19b5406"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_19B5406\0000]
  Service = "19b5406"
  Legacy = 0x00000001
  ConfigFlags = 0x00000000
  Class = "LegacyDriver"
  ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  DeviceDesc = "19b5406"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_19B5406]
  NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\19b5406\Enum]
  0 = "Root\LEGACY_19B5406\0000"
  Count = 0x00000001
  NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\19b5406\Security]
  Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\19b5406]
  Type = 0x00000001
  Start = 0x00000003
  ErrorControl = 0x00000000
  ImagePath = "%System%\19b5406.sys"
  DisplayName = "19b5406"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_19B5406\0000\Control]
  *NewlyCreated* = 0x00000000
  ActiveService = "19b5406"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_19B5406\0000]
  Service = "19b5406"
  Legacy = 0x00000001
  ConfigFlags = 0x00000000
  Class = "LegacyDriver"
  ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  DeviceDesc = "19b5406"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_19B5406]
  NextInstance = 0x00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\19b5406\Enum]
  0 = "Root\LEGACY_19B5406\0000"
  Count = 0x00000001
  NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\19b5406\Security]
  Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\19b5406]
  Type = 0x00000001
  Start = 0x00000003
  ErrorControl = 0x00000000
  ImagePath = "%System%\19b5406.sys"
  DisplayName = "19b5406"

It sends the sensitive infomation to the attacker via follow http post:

• http://121.12.168.127/zong10/lin.asp

Upon execution, it drops some other files and starts a new service to do the malicious work. It also steals some sensitive information and sends them to remote malicious attacker.

Upon execution, it drops the follwoing files:

%SystemRoot%\System32\xxxxxx.dll
%SystemRoot%\System32\xxxxxx.key
%SystemRoot%\System32\drivers\xxxxxx.sys
(where "xxxxxx" stands for 6 random characters, such as "zdqgoj" and "ybmmhg")

It creates the following registry entries in order to enable the driver to start automatically when system reboot:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yirvudob]
"ImagePath"=\??\C:\WINDOWS\System32\drivers\xxxxxx.sys
"DisplayName"=yirvudob
("xxxxxx" stands for 6 random characters)

It looks like the driver will hook some system service to help the xxxxxx.dll. But, in order to defeat the static disassembler, the header of this driver file has been modified. The SizeOfRawData of one section of this driver has been changed to very small (only 3 bytes), so the static disassembler can't read other data in this section, but the Windows loader can align the section automatically, thus no error will occurer. It appears that the driver was modified incorrect elsewhere, so it can't be loaded by Windows, and an event log "The yirvudob service failed to start due to the following error: The specified driver is invalid. " is added to the system. (A bug or by intention?)

The xxxxxx.dll are injected into many processes of the system and monitor system's activity. It then log these into xxxxxx.key file. The content of this file looks like the following:

[2008-11-05 14:24:56] C:\WINDOWS\system32 C:\WINDOWS\Explorer.EXE
ss
[2008-11-05 14:25:08] Run C:\WINDOWS\Explorer.EXE
notepad
[2008-11-05 14:25:38] Run C:\WINDOWS\Explorer.EXE
regedit

It also steals some sensitive information and sends them to remote malicious attacker.

This malware arrives as a dropper file of another malware. It can also be downloaded by user by visting malicious websites.
It belong to variants of Spyware/Goldun.
It injects its dll component into running process such as rundll32.exe, and stay hidden in the background and may steal information related to Email and send the information to a remote malicious user.

Upon execution, it drops following files:

• %system32%\gzipmod.dll
• %system32%\vbagz.sys
• %system32%\tremir.bin

It creates following registry entry to survive system restart:

• SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
  DllName=gzipmod.dll
  Stratup=gzipmod
  adr9i=[0B748CF23E3D75D70]
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  %system32%\rundll32.exe=%system32%\rundll32.exe:*:Enabled:rundll32
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\vbagz
  DisplayName=VBA2 PnP Driver
  ImagePath="system32\vbagz.sys

It forbids following device drivers to visit:

• \\.\x86emul
• \\.\syncm
• \\.\xprot
• \\.\netrp
• \\.\dwave
• \\.\vbagz
• \\.\dprot
• \\.\klite
• \\.\wlite
• \\.\pcixm
• \\.\fprot
• \\.\vbugz

It injects its dll component into running process such as rundll32.exe, and stay hidden in the background and may steal information related to Email and send the information to a remote malicious user.

  This worm arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.It may also arrive via infected removable drives.
  Upon execution, It drops itself in victim's driver,and attempts to download malicious files to the local computer and execute them.  
  It injects into system process of svchost to hide itself.
 
Once executed, it drops the following files in the affected system:
%ProgramFiles%\Microsoft Common\wuauclt.exe  copy of itself

It creates follow registry entry to enable its automatic run:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
  Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe"

It also creates follow registry entries:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AEC\0000]
  "Service"=aec
  "Legacy"=dword:00000001
  "ConfigFlags"=dword:00000000
  "Class"=LegacyDriver
  "ClassGUID"={8ECC055D-047F-11D1-A537-0000F8753ED1}
  "DeviceDesc"=Microsoft Kernel Acoustic Echo Canceller
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AEC\0000\Control]
  "*NewlyCreated*"=dword:00000000
  "ActiveService"=aec
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTFAT\0000\Control]
  "ActiveService"=Fastfat
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec\Enum]
  "0"=Root\\LEGACY_AEC\\0000
  "Count"=dword:00000001
  "NextInstance"=dword:00000001
• [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
  "Cookies"=C:\\WINDOWS\\system32\\config\\systemprofile\\Cookies
  "Cache"=C:\\WINDOWS\\system32\\config\\systemprofile\\Local Settings\\Temporary Internet Files
  "History"=C:\\WINDOWS\\system32\\config\\systemprofile\\Local Settings\\History
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\iexplore]
  "Count"=dword:00000013
  "Time"=hex:d8,07,0b,00,01,00,03,00,08,00,0b,00,04,00,03,01,

It gets malicious files download URLs form follow URL,and run the malicious files with administrative privileges.

• http://aaszxt.ru/load4/ld.php?v=1&rs={Harddisk Volume Serial Number}&n=1&uid=1

If exists removeable drives,it drops copies of itself in the drive root directory as system.exe.
It also drops the file autorun.inf which contains commands that will execute the dropped copy of worm.
The file autorun.inf contains the following commands:
 [autorun]
 open=system.exe
 shellexecute=system.exe
 shell\Explore\command=system.exe
 shell\Open\command=system.exe
 shell=Explore
 
 

This spyware may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
Currently, according our Feed-back net monitor system ,we found this infection also is detected in email attachment.

And it's a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen pshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

Upon exectuion,it drops some files into system directory:

• %system32%\twext.exe  - Detected by Anchiva RapidRx Labs as : Spyware/Zbot.4334
• %system32%\twain_32\local.ds (this file is zero size)
• %system32%\twain_32\user.ds  (this file is zero size)

It mordiffies the following registry entry to enable its automatic execution in every system startup:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  from
  C:\windows\system32\userinit.exe
  to
  C:\windows\system32\userinit.exe, c:\windows\system32\twext.exe

It terminates some computer firewall processes:

•  1)outpost.exe
•  2)zlcient.exe

And it's a banking trojan that steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.It's a ba

     This spyware arrives in the affected system as a downloaded or dropped file by other malwares or unsuspecting users.

     When executed it drops a copy of itself in the affected system. It also drops its active component which is detected by RapidRx as Spyware/OnLineGames.B5BB.

     This spyware monitors the gaming habit of the affected user. It steals login credentials for popular online games and sends it to a remote user via HTTP post.

     This spyware arrives in the affected system as a downloaded or dropped file by other malwares or unsuspecting users.

     When executed, it drops the following files in the affected system:

• %WINDOWS%\Help\F3C74E3FA248.dll - detected as Spyware/OnLineGames.B5BB
• %\WINDOWS%\Help\F3C74E3FA248.exe - copy of itself.

     It then registers the active dll component as a class object as follows:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32
  • _Default = "%WINDOWS%\HELP\F3C74E3FA248.dll"

     It then includes this object to the following registry to enable its automatic exucution upon startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  • {1DBD6574-D6D0-4782-94C3-69619E719765} = ""

     This spyware monitors the user's online gaming habit. It steal usernames and passwords of popular online games and sends it to a remote user via HTTP post.

This spyware arrives in the affected system as a dropped or downloaded file by other malwares or unsuspecting users.

Upon execution, this spyware drops some harmful file in the windows system folder.

This spyware arrives in the affected system as a dropped or downloaded file by other malwares or unsuspecting users.

Upon execution, it deletes itself and drops two following files:

•  %system%\DFEC5CB7.dll- detected as Spyware/OnLineGames.1F53
• %system%\9fd8db.sys - detected as Spyware/OnLineGames.6FF7

It creates the following registry entries to survive system restart:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  • '{DFEC5CB7-E2AA-4B0A-BEB3-D140E59ED53A}'=""
• HKEY_CLASSES_ROOT\CLSID\{DFEC5CB7-E2AA-4B0A-BEB3-D140E59ED53A}\InProcServer32
  • @='DFEC5CB7.dll'
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFEC5CB7-E2AA-4B0A-BEB3-D140E59ED53A}\InProcServer32
• @='DFEC5CB7.dll'

After that, it injects the said DLL into every running process, stay resident to monitor the victim's activity and steal the affected user's online-game information. It may send the sensitive infomation to the attacker via http post.

This malware arrives as a dropper file of another malware. It can also be downloaded by user by visting malicious websites.

It belong to variants of Spyware/Zbot.

It's a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

Upon execution, it drops some copies of itself to certain directories:

• %system32%\twain_32\local.ds
• %system32%\twain_32\user.ds
• %system32%\twxt.exe - detect as Spyware/Zbot.4CF1

It modifies the following registry entries to facilitate its auto start routine:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  From
  Userinit=%system32%\userinit.exe
  To
  Userinit=%system32%\userinit.exe,%system32%\twext.exe

It's a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

This is Anchiva's detection for programs packed with protection system typically used by malwares. Malwares in this family arrive in the affected system via email or by visiting compromised websites which download the malware into the system. When executed, the malware may perform routines that are hard to reverse such as the installation of rootkit programs that will hide the main malware.

Upon execution, it drops some malicious files and executes them. They hook many system services to hide themselves and steal user's information. It also delete itself and creates some registry entries to enable itself to autostart when system reboot.

This malware arrives in the affected system as an attachment of some fake alert emails, such as the following:

Unon execution, it drops the following files:

%SystemRoot%\System32\gzipmod.dll  -  detected as Spyware/Goldun.FAEF by Anchiva
%SystemRoot%\System32\vbagz.sys -  detected as Rootkit/Goldun.9FF9 by Anchiva

It trys to open the following devices to check if it is being run in a sandbox:

\\.\x86emul
\\.\emulx86
\\.\ltppd
\\.\itcoe
\\.\dprot
\\.\klite
\\.\wlite
\\.\fprot

It creates the following named pipes and waits to be connected:

\\.\pipe\ttfATE373
\\.\pipe\ttfATE373msimn
\\.\pipe\ttfATE373cmd1
\\.\pipe\ttfATE373iexplore
\\.\pipe\ttfATE373myie
\\.\pipe\ttfATE373maxthon
\\.\pipe\ttfATE373icq
\\.\pipe\ttfATE373miranda
\\.\pipe\ttfATE373mozilla
\\.\pipe\ttfATE373thebat
\\.\pipe\ttfATE373msn
\\.\pipe\ttfATE373opera

It creates the following registry entries in order to be loaded when system reboot:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MPRServices\TestService]
"DllName"=gzipmod.dll
"EntryPoint"=gzipmod
"StackSize"=dword:00000000
"adrn"=[B7698B33D438DB063]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod]
"DllName"=gzipmod.dll
"Startup"=gzipmod
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001
"adrn"=[B7698B33D438DB063]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=system32\vbagz.sys
"DisplayName"=VBA PnP Driver

It adds the rundll32.exe to the following list to bypass the windows firewall:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

It creates the following registry entries in order to be loaded when system reboot in safe mode:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys]
@="Driver

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
@="Driver

It hooks the following system services by inline hook and SSDT hook:

NtQueryDirectoryFile
NtCreateProcessEx
NtCreateProcess
NtProtectVirtualMemory
NtWriteVirtualMemory
IoGetCurrentProcess
NtOpenProcess
IoCreateFile
NtOpenKey

It hooks IoCreateFile service by inline hook and does the following malicious work:

1. It clears the contents of .sxx files and .sol files when these files will be opened.
2. It prevents the following files from being loaded:

.vdb file  ---  Symantec AntiVirus virus definition file
.cdb file  ---  The Cleaner Trojan definition file
gmer.sys   ---  the driver of GMER, which is a famous anti-rootkit tool
klif.sys   ---  Kaspersky AntiVirus file system filter driver
.avz file  ---  AVZ Antiviral Toolkit malware definition file
.avc file  ---  Kaspersky AntiVirus virus definition file
avp.sys    ---  the driver of Kaspersky antivirus product

It hooks NtQueryDirectoryFile service by SSDT hook to hide themselves from user and many other antivirus and anti-rootk tools.

It steals user's sensitive information and sends them to remote malicious user.

Installation

This Trojan creates a folder and drops a copy of itself in created folder:

• %Program Files%\Microsoft Common

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files. )

• %Program Files%\Microsoft Common\wuauclt.exe

It injects thread into the following  process:

• svchost.exe

Autostart Techniques

This Trojan creates the following registry entry to enable its automatic execution at every system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
• Debugger = "%Program Files%\Microsoft Common\wuauclt.exe

This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.This worm modiffy registry entry to enable its automatic execution at every system startup.

This worm drops copies of itself in all removable drives. It also drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed. It also updates itself from certain website.

Arrival, Installation and Autostart Technique

This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, this worm drops the following component files:

• %User_profile%\cftmonn.exe - copy of itself
• %Windows%\system32\drivers\spools.exe - copy of itself

It modiffies the following the following registry entries:

from

HKEY_CLASSES_ROOT\exefile\shell\open\command 
@=%1 %* 

to

HKEY_CLASSES_ROOT\exefile\shell\open\command 
@=%User_Profile%\cftmon.exe %1" %*"

from

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule 
 ImagePath=SystemRoot%\windows\svchost.exe -k netsvcs")
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule 
 ImagePath=%c:\windows\system32\drivers\spools.exe)

It deletes following registry entries:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   

The content of droped AUTORUN.INF is like following:

[autorun]

ShellExecute=autorun.exe

It also update itself from the following url,but when this report writting,the url is unavailable:

• http://client{BLOCK}ster-hosting.com/?&v=artisho1&s=0
  

Upon execution, this malware copys itself to the system directory, and creates a registry entry to enable itself to auto start when system reboot. It then creates a svchost.exe process and injects some code into it, and steals the serial number of Windows Operating System and sends it to the remote attackers.

Upon execution, it drops the following file:

%SystemRoot%\System32\rs32net.exe  --  copy of itself

It tries to open the following file, may be intend to check if it is running in a sandbox:

\\.\Prot3

It creates the following registry entry to enable itself to auto start when system reboot:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

• "rs32net"=%SystemRoot%\System32\rs32net.exe

This malware embedded another module, whose name is UMLoader.exe. (We can get this
from the debug information in this module, which is "d:\programs\siberia2\umloader\objfre_wxp_x86
\i386\UMLoader.pdb".) It maybe to prevent itself from being detected by antivirus products,
so does not drop this module, but make some fixes and run it directly in memory.

The UMLoader.exe uses the native apis which are exported by ntdll.dll to create a new process svchost.exe, and injects another module, whose name is Loader.exe in it. (We can get this from the debug information in this module, which is "d:\programs\siberia2\loader\objfre_wxp_x86\i386\Loader.pdb".) It uses the same trick as above to do this. This module gets the encrypted serial number of Windows Operating System from the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\WPA\SigningHash-XXXXXXXXXXXXXX\SigningHashData
(Where 'X' standds for a character)

It encrypts the encrypted serial number and sends it to the following malicious attackers:

• 91.203.{blocked}:80
• 216.195.{blocked}:80
• 208.66.{blocked}:80