Trojan.DownLoader17.54079

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Color Server Process KtmRm NetBIOS' = '<SYSTEM32>\mtqzcaimhsal.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\File Computer WMI Class Discovery CNG] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

'<SYSTEM32>\ralbyampfsl.exe' "<SYSTEM32>\mtqzcaimhsal.exe"
'%WINDIR%\Temp\olzdyio2x6grqwwg.exe' -r 50558 tcp
'%TEMP%\olzdyio2r9crqwwgtqoit2z.exe'
'<SYSTEM32>\mtqzcaimhsal.exe'

Modifies file system :

Creates the following files:

<SYSTEM32>\ayjswbjw\run
<SYSTEM32>\ayjswbjw\rng
%WINDIR%\Temp\olzdyio2x6grqwwg.exe
<SYSTEM32>\ayjswbjw\cfg
<SYSTEM32>\ralbyampfsl.exe
%TEMP%\olzdyio2r9crqwwgtqoit2z.exe
<SYSTEM32>\ayjswbjw\tst
<SYSTEM32>\mtqzcaimhsal.exe
<SYSTEM32>\ayjswbjw\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\ralbyampfsl.exe
<SYSTEM32>\mtqzcaimhsal.exe

Deletes the following files:

%WINDIR%\Temp\olzdyio2x6grqwwg.exe
<DRIVERS>\etc\hosts
%TEMP%\olzdyio2r9crqwwgtqoit2z.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'th###threw.net':80
'th###cross.net':80
'lo###loor.net':80
'lo###hade.net':80
'fe###loor.net':80
'th###shade.net':80
'dr###cross.net':80
'wi###ross.net':80
'wi###hrew.net':80
'th###floor.net':80
'dr###threw.net':80
'fe###hade.net':80
'hi###hade.net':80
'wh###hade.net':80
'wh###ross.net':80
'wh###hrew.net':80
'hi###ross.net':80
'hi###loor.net':80
'fe###ross.net':80
'lo###ross.net':80
'lo###hrew.net':80
'wh###loor.net':80
'fe###hrew.net':80
'so###ould.net':80
'pi###each.net':80
'pi###ould.net':80
'pi###sual.net':80
'so###sual.net':80
'so###each.net':80
'si###sual.net':80
'ro###ould.net':80
'ro###sual.net':80
'pi###rave.net':80
'so###rave.net':80
'ab###rave.net':80
'wi###loor.net':80
'kn###sual.net':80
'dr###floor.net':80
'dr###shade.net':80
'wi###hade.net':80
'ab###sual.net':80
'ab###each.net':80
'kn###rave.net':80
'kn###each.net':80
'kn###ould.net':80
'ab###ould.net':80
'kn###ross.net':80
'ab###ross.net':80
'ab###hrew.net':80
'wi###ull.net':80
'kn###hrew.net':80
'kn###hade.net':80
'pi###hrew.net':80
'so###hrew.net':80
'ab###loor.net':80
'ab###hade.net':80
'kn###loor.net':80
'dr###pull.net':80
'mi###hown.net':80
'ab###ell.net':80
'mo###ugust.net':80
'cr#####onaraminta.net':80
'le###form.net':80
'mo###olor.net':80
'ri###nstorm.net':80
'be##lxc.com':80
'al###being.net':80
'pr####tbottom.net':80
'ca####nbring.net':80
'ju###hrew.net':80
'mo###ross.net':80
'mo###hrew.net':80
'ro###loor.net':80
'si###loor.net':80
'ju###ross.net':80
'ju###loor.net':80
'hi###hrew.net':80
'mo###loor.net':80
'mo###hade.net':80
'ju###hade.net':80
'si###hade.net':80
'so###hade.net':80
'pi###loor.net':80
'pi###hade.net':80
'pi###ross.net':80
'so###ross.net':80
'so###loor.net':80
'si###ross.net':80
'ro###hade.net':80
'ro###ross.net':80
'ro###hrew.net':80
'si###hrew.net':80

TCP:

HTTP GET requests:

http://th###threw.net/index.php
http://th###cross.net/index.php
http://lo###loor.net/index.php
http://lo###hade.net/index.php
http://fe###loor.net/index.php
http://th###shade.net/index.php
http://dr###cross.net/index.php
http://wi###ross.net/index.php
http://wi###hrew.net/index.php
http://th###floor.net/index.php
http://dr###threw.net/index.php
http://fe###hade.net/index.php
http://hi###hade.net/index.php
http://wh###hade.net/index.php
http://wh###ross.net/index.php
http://wh###hrew.net/index.php
http://hi###ross.net/index.php
http://hi###loor.net/index.php
http://fe###ross.net/index.php
http://lo###ross.net/index.php
http://lo###hrew.net/index.php
http://wh###loor.net/index.php
http://fe###hrew.net/index.php
http://so###ould.net/index.php
http://pi###each.net/index.php
http://pi###ould.net/index.php
http://pi###sual.net/index.php
http://so###sual.net/index.php
http://so###each.net/index.php
http://si###sual.net/index.php
http://ro###ould.net/index.php
http://ro###sual.net/index.php
http://pi###rave.net/index.php
http://so###rave.net/index.php
http://ab###rave.net/index.php
http://wi###loor.net/index.php
http://kn###sual.net/index.php
http://dr###floor.net/index.php
http://dr###shade.net/index.php
http://wi###hade.net/index.php
http://ab###sual.net/index.php
http://ab###each.net/index.php
http://kn###rave.net/index.php
http://kn###each.net/index.php
http://kn###ould.net/index.php
http://ab###ould.net/index.php
http://kn###ross.net/index.php
http://ab###ross.net/index.php
http://ab###hrew.net/index.php
http://wi###ull.net/index.php
http://kn###hrew.net/index.php
http://kn###hade.net/index.php
http://pi###hrew.net/index.php
http://so###hrew.net/index.php
http://ab###loor.net/index.php
http://ab###hade.net/index.php
http://kn###loor.net/index.php
http://dr###pull.net/index.php
http://mi###hown.net/index.php
http://ab###ell.net/index.php
http://mo###ugust.net/index.php
http://cr#####onaraminta.net/index.php
http://le###form.net/index.php
http://mo###olor.net/index.php
http://ri###nstorm.net/index.php
http://be##lxc.com/index.php
http://al###being.net/index.php
http://pr####tbottom.net/index.php
http://ca####nbring.net/index.php
http://ju###hrew.net/index.php
http://mo###ross.net/index.php
http://mo###hrew.net/index.php
http://ro###loor.net/index.php
http://si###loor.net/index.php
http://ju###ross.net/index.php
http://ju###loor.net/index.php
http://hi###hrew.net/index.php
http://mo###loor.net/index.php
http://mo###hade.net/index.php
http://ju###hade.net/index.php
http://si###hade.net/index.php
http://so###hade.net/index.php
http://pi###loor.net/index.php
http://pi###hade.net/index.php
http://pi###ross.net/index.php
http://so###ross.net/index.php
http://so###loor.net/index.php
http://si###ross.net/index.php
http://ro###hade.net/index.php
http://ro###ross.net/index.php
http://ro###hrew.net/index.php
http://si###hrew.net/index.php

UDP:

DNS ASK th###threw.net
DNS ASK th###cross.net
DNS ASK lo###loor.net
DNS ASK lo###hade.net
DNS ASK fe###loor.net
DNS ASK th###shade.net
DNS ASK dr###cross.net
DNS ASK wi###ross.net
DNS ASK wi###hrew.net
DNS ASK th###floor.net
DNS ASK dr###threw.net
DNS ASK fe###hade.net
DNS ASK hi###hade.net
DNS ASK wh###hade.net
DNS ASK wh###ross.net
DNS ASK wh###hrew.net
DNS ASK hi###ross.net
DNS ASK hi###loor.net
DNS ASK fe###ross.net
DNS ASK lo###ross.net
DNS ASK lo###hrew.net
DNS ASK wh###loor.net
DNS ASK fe###hrew.net
DNS ASK so###ould.net
DNS ASK pi###each.net
DNS ASK pi###ould.net
DNS ASK pi###sual.net
DNS ASK so###sual.net
DNS ASK so###each.net
DNS ASK si###sual.net
DNS ASK ro###ould.net
DNS ASK ro###sual.net
DNS ASK pi###rave.net
DNS ASK so###rave.net
DNS ASK ab###rave.net
DNS ASK wi###loor.net
DNS ASK kn###sual.net
DNS ASK dr###floor.net
DNS ASK dr###shade.net
DNS ASK wi###hade.net
DNS ASK ab###sual.net
DNS ASK ab###each.net
DNS ASK kn###rave.net
DNS ASK kn###each.net
DNS ASK kn###ould.net
DNS ASK ab###ould.net
DNS ASK hi###hrew.net
DNS ASK ab###hrew.net
DNS ASK kn###ross.net
DNS ASK kn###hrew.net
DNS ASK dr###pull.net
DNS ASK wi###ull.net
DNS ASK ab###ross.net
DNS ASK ab###loor.net
DNS ASK pi###hrew.net
DNS ASK kn###loor.net
DNS ASK kn###hade.net
DNS ASK ab###hade.net
DNS ASK mi###hown.net
DNS ASK ab###ell.net
DNS ASK mo###ugust.net
DNS ASK cr#####onaraminta.net
DNS ASK le###form.net
DNS ASK mo###olor.net
DNS ASK ri###nstorm.net
DNS ASK be##lxc.com
DNS ASK al###being.net
DNS ASK pr####tbottom.net
DNS ASK ca####nbring.net
DNS ASK so###hrew.net
DNS ASK mo###hrew.net
DNS ASK ju###hrew.net
DNS ASK si###loor.net
DNS ASK si###hade.net
DNS ASK ro###loor.net
DNS ASK mo###ross.net
DNS ASK mo###loor.net
DNS ASK ju###loor.net
DNS ASK ju###hade.net
DNS ASK ju###ross.net
DNS ASK mo###hade.net
DNS ASK so###hade.net
DNS ASK pi###loor.net
DNS ASK pi###hade.net
DNS ASK pi###ross.net
DNS ASK so###ross.net
DNS ASK so###loor.net
DNS ASK si###ross.net
DNS ASK ro###hade.net
DNS ASK ro###ross.net
DNS ASK ro###hrew.net
DNS ASK si###hrew.net
'23#.#55.255.250':1900

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial