A downloader Trojan that can be distributed via mass mailing. Virus makers call it “Smoke Loader”.
Once this Trojan is launched, it scans the environment for the presence of a “sandbox” or a virtual machine as follows:
- Runs a search for the virtual, vmware, and qemu substrings in the Windows registry key SYSTEM\CurrentControlSet\Services\Disk\Enum.
- Checks the name of its executable file for the sample substring.
- Detects whether the dbghelp and sbiedll libraries are loaded into the process’s memory.
- Scans PEB.NtGlobalFlag for the presence of the debugger.
The Trojan launches the inactive svchost.exe process and embeds a binary file containing the shellcode into it. The shellcode decrypts, unpacks, and configures the library stored in it. Then it runs a search for the exported Work function within the library and calls it. The Trojan’s payload is implemented in this library.
Using the computer name and the serial number of the C: drive volume, the Trojan generates its identifier, scans the system for its own copy, and decrypts the address of the command and control server. Then the malware attempts to register itself in the following system registry branch:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runwith the entry
"%progname%"=C:\Documents and Settings\admin\Application Data\A2B4C6.exewhere “%progname%” stands for the name of the application chosen randomly from all keys in the HKCU\Software branch. Otherwise, it registers itself with the default name “Customer Service”.
If the attempt fails, the malware tries to add itself to the following system registry branch:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunThen it checks whether there is an established Internet connection by attempting to access http://msn.com/. If the connection is available, the Trojan sends the data regarding the infected computer to the command and control server and tries to download and launch its main module.
The main purpose of this Trojan is to download and then launch other malicious applications on the infected computer. These applications are saved to the %temp% and %appdata% folders.
