Content
FFSearcher
- Type
- Trojan
- SubType
- Trojan
- Discovery Date
- 07/02/2009
- Length
- 76800 bytes
- Minimum DAT
- 5665 (07/03/2009)
- Updated DAT
- 5665 (07/03/2009)
- Minimum Engine
- 5.3.00
- Description Added
- 07/02/2009
- Description Modified
- 07/03/2009 2:21 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
When executed, the trojan drops the following dll and injects into svchost.exe:
- %system%\netcfgx.dll:Zone.Identifier
It also drops the following files and loads them as system drivers. It then deletes the 2 files:
- %windows%\win32k.sys:1
- %windows%\win32k.sys:2
It then deletes the original dropper.
It modifies the following registry value to make the dll loaded on windows startup:
- HKEY_CLASSES_ROOT\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32 "(Default)"=%system%\netcfgx.dll:Zone.Identifier
It contacts wxtr812.com to get config info and saves the data to the following file:
- %Documents and Settings%\All Users\Documents\gifnoc.xtx
It then moniters the web browser and attempts to redirect searches in Google to the site in config file.
Symptoms
- Presence of aforementioned file and registry values.
- Presence of connections to the aforementioned address.
Method of Infection
It is reported that the trojan can be downloaded as a result of successful exploit of compromised web sites.
Removal
All Users
:
Use specified engine and DAT files
for detection. For repair to complete, the system must be rebooted.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.
Variants
Variants
N/A
All Information
Overview -
-- Update July 3, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/01/stealthy_click_fraud_malware/
--
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
When executed, the trojan drops the following dll and injects into svchost.exe:
- %system%\netcfgx.dll:Zone.Identifier
It also drops the following files and loads them as system drivers. It then deletes the 2 files:
- %windows%\win32k.sys:1
- %windows%\win32k.sys:2
It then deletes the original dropper.
It modifies the following registry value to make the dll loaded on windows startup:
- HKEY_CLASSES_ROOT\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32 "(Default)"=%system%\netcfgx.dll:Zone.Identifier
It contacts wxtr812.com to get config info and saves the data to the following file:
- %Documents and Settings%\All Users\Documents\gifnoc.xtx
It then moniters the web browser and attempts to redirect searches in Google to the site in config file.
Symptoms
Symptoms -
- Presence of aforementioned file and registry values.
- Presence of connections to the aforementioned address.
Method of Infection
Method of Infection -
It is reported that the trojan can be downloaded as a result of successful exploit of compromised web sites.
Removal -
Removal -
All Users
:
Use specified engine and DAT files
for detection. For repair to complete, the system must be rebooted.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
