Content

New Malware.n

Type
Trojan
SubType
Heuristic
Discovery Date
08/01/2005
Length
Varies
Minimum DAT
4547 (08/01/2005)
Updated DAT
5808 (11/20/2009)
Minimum Engine
5.1.00
Description Added
08/01/2005
Description Modified
11/18/2009 5:52 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution the malware registers itself with the compromised system using the following registry entry.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{001A8F88-01D3-4a02-AA3F-B98E100176F1}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{001A8F88-01D3-4a02-AA3F-B98E100176F1}\InprocServer32

It also hooks itself with the legitimate windows browser applications and runs at the background.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1C7-FB22-4D17-8834-064E2BA0A6F0}

When executed the malware redirects the execution of one application to another using the following registry entry. By doing this the malware binary will not allow any of the below mentioned security related software’s to operate once the system is compromised. Some of them are as follows

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE

It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if one use the removable drive with the compromised system the malware binary spreads through the removable drive.

Upon successful execution it tries to connect to the remote server using the following address,

  • x.money[removed].com

It creates the following registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

The following files have been added to the system:

  • %SystemDrive%\ AUTORUN.INF
  • %SystemDrive% \YYVZG.PIF
  • %Temp%\dll3F.tmp

Note: [%SystemDrive% means the drive where the Operating System is installed, in most cases it will be C:\]

Upon execution the malware binary redirects the execution of the following,

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\debugger: "ntsd -d"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE\debugger: "ntsd -d"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.EXE\debugger: "ntsd -d"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE\debugger: "ntsd -d"

It downloads malicious content from the remote site, the following are the files it downloads.

  • %SystemDir%\360trac.exe [Detected as Generic Dropper.ex]

These are general defaults for typical path variables. (Although they may differ, these examples are common.):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Symptoms

1. Connects to the remote server and downloads malicious content.

2. Registry modification

3. Redirects the execution using Image File Execution.

4. In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

This detection is an indication that the file is identified heuristically and it is requested that a sample of the file is sent to McAfee AVERT for analysis.

Refer to the online instructions for sending samples.

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information.
  • MD5 - 358E0CC0AFB3D8F99B5EB2211C9EE674
  • SHA - 957D8F2B0A1F5D6A04DAE81CE217DED7CCCF93D5
  • File Size - 24816 bytes

Aliases :

Kaspersky - Worm.Win32.AutoRun.azrp

Microsoft - Worm:Win32/Orbina!rts

Characteristics

Characteristics -

Upon execution the malware registers itself with the compromised system using the following registry entry.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{001A8F88-01D3-4a02-AA3F-B98E100176F1}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{001A8F88-01D3-4a02-AA3F-B98E100176F1}\InprocServer32

It also hooks itself with the legitimate windows browser applications and runs at the background.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1C7-FB22-4D17-8834-064E2BA0A6F0}

When executed the malware redirects the execution of one application to another using the following registry entry. By doing this the malware binary will not allow any of the below mentioned security related software’s to operate once the system is compromised. Some of them are as follows

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE

It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if one use the removable drive with the compromised system the malware binary spreads through the removable drive.

Upon successful execution it tries to connect to the remote server using the following address,

  • x.money[removed].com

It creates the following registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

The following files have been added to the system:

  • %SystemDrive%\ AUTORUN.INF
  • %SystemDrive% \YYVZG.PIF
  • %Temp%\dll3F.tmp

Note: [%SystemDrive% means the drive where the Operating System is installed, in most cases it will be C:\]

Upon execution the malware binary redirects the execution of the following,

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\debugger: "ntsd -d"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE\debugger: "ntsd -d"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.EXE\debugger: "ntsd -d"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE\debugger: "ntsd -d"

It downloads malicious content from the remote site, the following are the files it downloads.

  • %SystemDir%\360trac.exe [Detected as Generic Dropper.ex]

These are general defaults for typical path variables. (Although they may differ, these examples are common.):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Symptoms

Symptoms -

1. Connects to the remote server and downloads malicious content.

2. Registry modification

3. Redirects the execution using Image File Execution.

4. In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

This detection is an indication that the file is identified heuristically and it is requested that a sample of the file is sent to McAfee AVERT for analysis.

Refer to the online instructions for sending samples.

Variants

Variants -

    N/A