Trojan.DownLoader5.9370

Added to the Dr.Web virus database: 2011-10-30

Virus description added: 2011-10-30

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'tv_enua' = 'RunDll32 advpack.dll,LaunchINFSection %WINDIR%\INF\tv_enua.inf, RemoveCabinet'
[<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'

Malicious functions:

Creates and executes the following:

%PROGRAM_FILES%\Kanji\Kanji.exe x --install
%PROGRAM_FILES%\Kanji\tv_enua.exe /Q
%PROGRAM_FILES%\Kanji\spchapi.exe /Q

Executes the following:

<SYSTEM32>\regsvr32.exe /s %WINDIR%\lhsp\tv\tvenuax.dll
<SYSTEM32>\regsvr32.exe /s %WINDIR%\lhsp\tv\tv_enua.dll
<SYSTEM32>\grpconv.exe -o

Modifies file system :

Creates the following files:

%WINDIR%\Temp\OLD18.tmp
%WINDIR%\LastGood\TMP17.tmp
%WINDIR%\inf\SET16.tmp
%PROGRAM_FILES%\Kanji\tv_enua.exe
%TEMP%\IXP000.TMP\tv_enua.hlp
%TEMP%\IXP000.TMP\tv_enua.dll
%TEMP%\IXP000.TMP\tvenuax.dll
%WINDIR%\speech\SET13.tmp
%WINDIR%\speech\SETE.tmp
%WINDIR%\speech\SETD.tmp
%WINDIR%\speech\SETC.tmp
%WINDIR%\speech\SETF.tmp
%WINDIR%\speech\SET12.tmp
%WINDIR%\speech\SET11.tmp
%WINDIR%\speech\SET10.tmp
%WINDIR%\Temp\OLD21.tmp
%WINDIR%\LastGood\TMP20.tmp
%WINDIR%\inf\SET1F.tmp
%WINDIR%\LastGood\TMP22.tmp
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\fwlink[1].0&cb=892502519
%PROGRAM_FILES%\Kanji\Kanji.exe
%WINDIR%\Temp\OLD23.tmp
%WINDIR%\Fonts\SET1C.tmp
%TEMP%\IXP000.TMP\Msvcp50.dll
%TEMP%\IXP000.TMP\andmoipa.ttf
%TEMP%\IXP000.TMP\tv_enua.inf
%TEMP%\IXP000.TMP\Msvcirt.dll
%WINDIR%\lhsp\help\SET1B.tmp
%WINDIR%\lhsp\tv\SET1A.tmp
%WINDIR%\lhsp\tv\SET19.tmp
%WINDIR%\speech\SETB.tmp
%TEMP%\IXP000.TMP\SPEECH.HLP
%TEMP%\IXP000.TMP\VCMSHL.DLL
%TEMP%\IXP000.TMP\VTXTAUTO.TLB
%TEMP%\IXP000.TMP\SPEECH.CNT
%TEMP%\IXP000.TMP\XLISTEN.DLL
%TEMP%\IXP000.TMP\SPCHTEL.DLL
%TEMP%\IXP000.TMP\MSVCRT.DLL
%TEMP%\IXP000.TMP\VCAUTO.TLB
%TEMP%\nsn2.tmp\System.dll
%TEMP%\nsn2.tmp\inetc.dll
%TEMP%\nsn2.tmp\LangDLL.dll
%PROGRAM_FILES%\Kanji\spchapi.exe
%TEMP%\IXP000.TMP\VCMD.EXE
%TEMP%\IXP000.TMP\SPEECH.DLL
%TEMP%\IXP000.TMP\SPCHAPI.INF
%WINDIR%\speech\SET6.tmp
%WINDIR%\speech\SET5.tmp
%TEMP%\IXP000.TMP\W95INF16.DLL
%WINDIR%\speech\SET7.tmp
%WINDIR%\speech\SETA.tmp
%WINDIR%\speech\SET9.tmp
%WINDIR%\speech\SET8.tmp
%TEMP%\IXP000.TMP\W95INF32.DLL
%TEMP%\IXP000.TMP\VDICT.DLL
%TEMP%\IXP000.TMP\XCOMMAND.DLL
%TEMP%\IXP000.TMP\XVOICE.DLL
%TEMP%\IXP000.TMP\VTEXT.DLL
%TEMP%\IXP000.TMP\ADVPACK.DLL
%TEMP%\IXP000.TMP\WRAPSAPI.DLL
%TEMP%\IXP000.TMP\XTEL.DLL

Deletes the following files:

%TEMP%\IXP000.TMP\Msvcirt.dll
%WINDIR%\Temp\OLD21.tmp
%TEMP%\IXP000.TMP\andmoipa.ttf
%TEMP%\IXP000.TMP\Msvcp50.dll
%WINDIR%\Temp\OLD23.tmp
%TEMP%\IXP000.TMP\SPEECH.DLL
%TEMP%\IXP000.TMP\VCMD.EXE
%PROGRAM_FILES%\Kanji\spchapi.exe
%TEMP%\IXP000.TMP\SPCHAPI.INF
%TEMP%\nsn2.tmp\inetc.dll
%PROGRAM_FILES%\Kanji\Kanji.exe
%TEMP%\nsn2.tmp\System.dll
%TEMP%\nsn2.tmp\LangDLL.dll
%PROGRAM_FILES%\Kanji\tv_enua.exe
%TEMP%\IXP000.TMP\tv_enua.hlp
%TEMP%\IXP000.TMP\tv_enua.inf
%TEMP%\IXP000.TMP\tvenuax.dll
%TEMP%\IXP000.TMP\tv_enua.dll
%TEMP%\IXP000.TMP\VTEXT.DLL
%TEMP%\IXP000.TMP\XTEL.DLL
%TEMP%\IXP000.TMP\XCOMMAND.DLL
%TEMP%\IXP000.TMP\VDICT.DLL
%TEMP%\IXP000.TMP\WRAPSAPI.DLL
%TEMP%\IXP000.TMP\W95INF16.DLL
%WINDIR%\Temp\OLD18.tmp
%TEMP%\IXP000.TMP\ADVPACK.DLL
%TEMP%\IXP000.TMP\W95INF32.DLL
%TEMP%\IXP000.TMP\VCMSHL.DLL
%TEMP%\IXP000.TMP\SPEECH.HLP
%TEMP%\IXP000.TMP\VCAUTO.TLB
%TEMP%\IXP000.TMP\VTXTAUTO.TLB
%TEMP%\IXP000.TMP\SPEECH.CNT
%TEMP%\IXP000.TMP\XLISTEN.DLL
%TEMP%\IXP000.TMP\XVOICE.DLL
%TEMP%\IXP000.TMP\MSVCRT.DLL
%TEMP%\IXP000.TMP\SPCHTEL.DLL

Network activity:

Connects to:

'www.ac###ibes.com':80
'localhost':1034

TCP:

HTTP GET requests:

www.ac###ibes.com/fwlink/?do######################################################################################

UDP:

DNS ASK www.ac###ibes.com
'<Private IP address>':1035

Miscellaneous:

Searches for the following windows:

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'IEFrame' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: '' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial