McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or
wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection is for a multi-part trojan composed of a loader, an infostealer, a backdoor component and an update installer.

Once executed, two files (avp.exe or conime.exe depending on the variants, and zipfldr.dll) are added in one of the following folders:

•  %Windir%\System\
• C:\Documents and Settings\[user]\Templates\
• C:\Documents and Settings\[user]\Local Settings\Temp\

zipfldr.dll is detected as Spy-Agent.cp.dll. Actually it is the infostealer component.
It attempts to contact one of the following IP adresses to download two additional files (setup.dat and winzip.exe, both also detected as Spy-Agent.cp):

• 202.65.192.26
• 202.134.124.178 
• 69.46.27.35

These dll file steals sensitive data such as:

• Microsoft Windows Version
• Windows Environment Strings
• MAC address
• List of the active processes, their PPID and PID
• Outlook Passwords
• Hotmail Passwords
• Deleted Outlook Account passwords
• IE Password-Protected sites passwords
• MSN Explorer Signup passwords
• IE AutoComplete Passwords
• IE Auto Complete Fields
• Cached passwords
• Keystrokes
   

and stores them into two different files: C36YKXNy.dat and C36YKXNz.dat.
Moreover it creates a copy of the MS file pstorec.dll under the filename xactsrv.dll in the same folder as itself and the .DAT files.

winzip.exe is an update installer. If a file named setup.dat, setup.cab or setup.exe is found in the temp folder, then it copies itself at one of the following locations:

• %windir%\system\dllhost.exe
• C:\Documents and Settings\[user]\Application Data\dllhost.exe
• C:\Documents and Settings\[user]\Local Settings\dllhost.exe

It also creates the following registry entries:

• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadService = [path_to_dllhost.exe]
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Load = [path_to_dllhost.exe]
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %sysdir%\userinit.exe [path_to_avp.exe_or_conime.exe]

And dllhost.exe (also known as setup.dat) is the backdoor component.
It attempts to connect to the following IP addresses and URLs to check if an internet connection is available:

• 66.94.230.35
• 209.249.116.195
• 17.254.0.91
• www.yahoo.com
• www.sun.com
• www.apple.com
• www.msn.com

and then it connects to the control server by using one of these URLs/IP addresses:

• 202.65.192.26
• 69.46.27.35
• 202.134.124.178
• 69.59.179.221
• 163.32.157.2
• 61.218.120.51
• www.jyintl.com
• 202.181.240.154
• 202.96.132.79
• www.dialerdns.com

These list of hosts will be stored into the following registry values too:
 HKCU\Software\Kodak\Imaging\Etc\
 host%d = host_to_contact (where %d is a digit)
and may be updated by the attacker at any time

The value "Refresh" may also be added into HKCU\Software\Kodak\Imaging\Etc\

Moreover it creates two folders named "RP2" and "RP1" in one of the following locations:

• C:\Documents and Settings\[user]\Application Data\Microsoft\IME\
• C:\Documents and Settings\[user]\Application Data\Identities\
• C:\Documents and Settings\[user]\Local Settings\temp\

These two folders RP1 and RP2 will contain some files requested by the attacker such as list of registry entries or directories (.lst extension) or whatever file from the victim's machine (.cab extension).

Symptoms

• Existence of mentioned files and registry keys
• Presence of unexpected internet connection to previously mentioned url.

Method of Infection

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or
wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a multi-part trojan composed of a loader, an infostealer, a backdoor component and an update installer.

Once executed, two files (avp.exe or conime.exe depending on the variants, and zipfldr.dll) are added in one of the following folders:

•  %Windir%\System\
• C:\Documents and Settings\[user]\Templates\
• C:\Documents and Settings\[user]\Local Settings\Temp\

zipfldr.dll is detected as Spy-Agent.cp.dll. Actually it is the infostealer component.
It attempts to contact one of the following IP adresses to download two additional files (setup.dat and winzip.exe, both also detected as Spy-Agent.cp):

• 202.65.192.26
• 202.134.124.178 
• 69.46.27.35

These dll file steals sensitive data such as:

• Microsoft Windows Version
• Windows Environment Strings
• MAC address
• List of the active processes, their PPID and PID
• Outlook Passwords
• Hotmail Passwords
• Deleted Outlook Account passwords
• IE Password-Protected sites passwords
• MSN Explorer Signup passwords
• IE AutoComplete Passwords
• IE Auto Complete Fields
• Cached passwords
• Keystrokes
   

and stores them into two different files: C36YKXNy.dat and C36YKXNz.dat.
Moreover it creates a copy of the MS file pstorec.dll under the filename xactsrv.dll in the same folder as itself and the .DAT files.

winzip.exe is an update installer. If a file named setup.dat, setup.cab or setup.exe is found in the temp folder, then it copies itself at one of the following locations:

• %windir%\system\dllhost.exe
• C:\Documents and Settings\[user]\Application Data\dllhost.exe
• C:\Documents and Settings\[user]\Local Settings\dllhost.exe

It also creates the following registry entries:

• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadService = [path_to_dllhost.exe]
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Load = [path_to_dllhost.exe]
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %sysdir%\userinit.exe [path_to_avp.exe_or_conime.exe]

And dllhost.exe (also known as setup.dat) is the backdoor component.
It attempts to connect to the following IP addresses and URLs to check if an internet connection is available:

• 66.94.230.35
• 209.249.116.195
• 17.254.0.91
• www.yahoo.com
• www.sun.com
• www.apple.com
• www.msn.com

and then it connects to the control server by using one of these URLs/IP addresses:

• 202.65.192.26
• 69.46.27.35
• 202.134.124.178
• 69.59.179.221
• 163.32.157.2
• 61.218.120.51
• www.jyintl.com
• 202.181.240.154
• 202.96.132.79
• www.dialerdns.com

These list of hosts will be stored into the following registry values too:
 HKCU\Software\Kodak\Imaging\Etc\
 host%d = host_to_contact (where %d is a digit)
and may be updated by the attacker at any time

The value "Refresh" may also be added into HKCU\Software\Kodak\Imaging\Etc\

Moreover it creates two folders named "RP2" and "RP1" in one of the following locations:

• C:\Documents and Settings\[user]\Application Data\Microsoft\IME\
• C:\Documents and Settings\[user]\Application Data\Identities\
• C:\Documents and Settings\[user]\Local Settings\temp\

These two folders RP1 and RP2 will contain some files requested by the attacker such as list of registry entries or directories (.lst extension) or whatever file from the victim's machine (.cab extension).

Symptoms

Symptoms -

• Existence of mentioned files and registry keys
• Presence of unexpected internet connection to previously mentioned url.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A