Dropper.A_3842 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.
File Related Changes
It drops the following file(s) on the system:
- "C:\Documents and Settings\Admin\Local Settings\Temp\yXLDB.bat"
- "C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe"
- "C:\Documents and Settings\Admin\Application Data\Java\uninstall.txt"
- "C:\Documents and Settings\Admin\Application Data\Falaheye.exe"
Process Related Changes
It creates the following mutex(es):
- SHIMLIB_LOG_MUTEX"
- ZonesLockedCacheCounterMutex"
- CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- ZoneAttributeCacheCounterMutex"
- 7VZ4IGS0NE"
- ZonesCacheCounterMutex"
- ZonesCounterMutex"
- CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
It creates the following process(es): - C:\WINDOWS\system32\reg.exe [ REG ADD \HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v \JavaTM Platform SE Auto Updator 2.1 /t REG_SZ /d C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe /f ]
- C:\WINDOWS\system32\reg.exe [ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v \DoNotAllowExceptions /t REG_DWORD /d \0 /f ]
- C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe
- C:\WINDOWS\system32\reg.exe [ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe /t REG_SZ /d C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe::Enabled:Windows Messanger /f ]
- C:\WINDOWS\system32\cmd.exe [ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe /t REG_SZ /d C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe::Enabled:Windows Messanger /f ]
- C:\WINDOWS\system32\cmd.exe [ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v C:\Documents and Settings\Admin\Application Data\Falaheye.exe /t REG_SZ /d C:\Documents and Settings\Admin\Application Data\Falaheye.exe::Enabled:Windows Messanger /f ]
- C:\WINDOWS\system32\reg.exe [ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v C:\Documents and Settings\Admin\Application Data\Falaheye.exe /t REG_SZ /d C:\Documents and Settings\Admin\Application Data\Falaheye.exe::Enabled:Windows Messanger /f ]
- C:\WINDOWS\Temp\8c474aeebd9e57198511e011c0d184f3.exe [ \c:\windows\temp\8c474aeebd9e57198511e011c0d184f3.exe ]
- C:\WINDOWS\system32\cmd.exe [ cmd /c \C:\DOCUME1\Admin\LOCALS1\Temp\yXLDB.bat ]
It injects malicious code into the following process(es): - "C:\Documents and Settings\Admin\Application Data\Java\uninstall.exe"
Network Activity
We observed the following DNS query/queries:
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKU\s-1-5-21-1078081533-842925246-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run\= _Special_Characters_
- HKLM\system\CurrentControlSet\Services\tcpip\parameters\= _Special_Characters_
- HKLM\system\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\= _Special_Characters_
- HKLM\system\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\= _Special_Characters_
|
