McAfee > Theat Center > Virus Detail Page

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update November 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=7519

--

Upon execution, this trojan drops a dll component detected as Opachki.a at the following location:

• %UserProfile%\ntuser.dll
• %UserProfile%\local settings\temp\rundll32.dll
• %UserProfile%\Start Menu\Programs\Startup\scandisk.dll
• %UserProfile%\start menu\programs\startup\scandisk.lnk
• %SystemDir%\calc.dll 

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

It also creates the following registry entries to automatically execute at startup

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  calc = rundll32.exe %USERPROFILE%\ntuser.dll,_IWMPEvents@0
    
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  calc = rundll32.exe %SystemDir%\calc.dll,_IWMPEvents@0

This trojan deletes the following registry key to disable restarting in safe mode:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

The dll component is injected into running process and monitors web traffic.

It could then inject a script tag in every website visited. causing the browser to open the website:

• google-analystisks.us 

Currently this website serves a javascript that could replace links inside webpages to be directed to:

• thefeedwater.com

 

Symptoms

• Presence of the mentioned files and registries.
• Unexpected connection to the mentioned websites.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update November 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=7519

--

Upon execution, this trojan drops a dll component detected as Opachki.a at the following location:

• %UserProfile%\ntuser.dll
• %UserProfile%\local settings\temp\rundll32.dll
• %UserProfile%\Start Menu\Programs\Startup\scandisk.dll
• %UserProfile%\start menu\programs\startup\scandisk.lnk
• %SystemDir%\calc.dll 

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

It also creates the following registry entries to automatically execute at startup

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  calc = rundll32.exe %USERPROFILE%\ntuser.dll,_IWMPEvents@0
    
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  calc = rundll32.exe %SystemDir%\calc.dll,_IWMPEvents@0

This trojan deletes the following registry key to disable restarting in safe mode:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

The dll component is injected into running process and monitors web traffic.

It could then inject a script tag in every website visited. causing the browser to open the website:

• google-analystisks.us 

Currently this website serves a javascript that could replace links inside webpages to be directed to:

• thefeedwater.com

 

Symptoms

Symptoms -

• Presence of the mentioned files and registries.
• Unexpected connection to the mentioned websites.

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A