Content
FDoS-BEnergy!740DEC3A
- Type
- Trojan
- SubType
- Flooder
- Discovery Date
- 05/09/2008
- Length
- 24,064 bytes
- Minimum DAT
- 5260 (03/26/2008)
- Updated DAT
- 5260 (03/26/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 05/11/2008
- Description Modified
- 05/11/2008 8:12 PM (PT)
Tab Navigation
Characteristics
When executed FDoS-BEnergy copies itself to the system folder and establishes itself as a Windows service. An additional change is made to the system registry that alters security around creation of raw network sockets. This change removes the normal security check requrining that a process attempting to create a raw socket have administrative privileges.
Following installation FDoS-BEnergy communicates with a remote server, making an HTTP POST containing the host system name and some additional appended data in the following format:
- id=[HostName]_[data1]&build_id=[data2]
The server then replies with a small burst of encoded data. Though not observed directly during analysis, other content in the file strongly suggests the Trojan is designed to use the host system to participate in denial of service attacks against specified targets on the Internet. Such direction would likely be sent in the response to one of the POST check-in transmissions.
The following registry keys are modified:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\DisableRawSecurity: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\ImagePath: "c:\windows\system32\..\svchost.exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\DisplayName: "Microsoft security update service"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\Description: "This service downloading and installing Windows security updates"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\ObjectName: "LocalSystem"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\Start: 0x00000002
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\ErrorControl: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\Type: 0x00000010
The trojan will copy itself to:
- %WINDOWS%\svchost.exe
(where %WINDOWS% is the Windows directory e.g. C:\Windows)
The following domains are accessed:
- activeprotect.cn
- turboprotect.cn
Symptoms
- Presence of previously mentioned registry entries
- Presence of previously mentioned file
- Presence of unexpected network connections to previously mentioned domains
Method of Infection
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
FDoS-BEnergy is a Trojan that may allow the infected system to be used in denial of service flooding attacks against specified targets on the Internet.
Characteristics
Characteristics -
When executed FDoS-BEnergy copies itself to the system folder and establishes itself as a Windows service. An additional change is made to the system registry that alters security around creation of raw network sockets. This change removes the normal security check requrining that a process attempting to create a raw socket have administrative privileges.
Following installation FDoS-BEnergy communicates with a remote server, making an HTTP POST containing the host system name and some additional appended data in the following format:
- id=[HostName]_[data1]&build_id=[data2]
The server then replies with a small burst of encoded data. Though not observed directly during analysis, other content in the file strongly suggests the Trojan is designed to use the host system to participate in denial of service attacks against specified targets on the Internet. Such direction would likely be sent in the response to one of the POST check-in transmissions.
The following registry keys are modified:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\DisableRawSecurity: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\ImagePath: "c:\windows\system32\..\svchost.exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\DisplayName: "Microsoft security update service"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\Description: "This service downloading and installing Windows security updates"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\ObjectName: "LocalSystem"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\Start: 0x00000002
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\ErrorControl: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate\Type: 0x00000010
The trojan will copy itself to:
- %WINDOWS%\svchost.exe
(where %WINDOWS% is the Windows directory e.g. C:\Windows)
The following domains are accessed:
- activeprotect.cn
- turboprotect.cn
Symptoms
Symptoms -
- Presence of previously mentioned registry entries
- Presence of previously mentioned file
- Presence of unexpected network connections to previously mentioned domains
Method of Infection
Method of Infection -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
