Click Here For IIT Kanpur Notes - https://goo.gl/Ju1oV6

Monday, 11 July 2011

all about virus " Backdoor.Win32.Phanta.aq, Trojan:Win32/Popureb.C"

Win32/Ghodow.NAG

 

Aliases:Backdoor.Win32.Phanta.aq (Kaspersky), Trojan:Win32/Popureb.C (Microsoft), Trojan.Click1.37375 (Dr. Web) 
Type of infiltration:Trojan  
Size:101968 B 
Affected platforms:Microsoft Windows 
Signature database version:6126 (20110516) 

Short description

Win32/Ghodow.NAG is a trojan that changes the home page of certain web browsers. Win32/Ghodow.NAG replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:
  • C:\smsc.exe (57856 B)
  • C:\mb.exe (84992 B)
  • C:\alg.exe (57856 B)
  • %system%\hello_tt.sys (6656 B)
  • %appdata%\Microsoft\Internet Explorer\Quick
    Launch\Internet Explorer.IE
  • %desktop%\Internet Explorer.IE
The trojan may create the following files:
  • %commonvideo%\PulgFile.log
  • %commonvideo%\al.ini
The trojan registers itself as a system service using the following filename:
  • hello_tt
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\
    Run]
    "Alg" = "C:\alg.exe"
Win32/Ghodow.NAG replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code, as well as placing additional code to load and patch the following files:
  • ntldr
  • ntkrnlpa.exe
  • beep.sys
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\
    shell\OpenHomePage\Command]
    "(Default)" = "%programfiles%\Internet
    Explorer\iexplore.exe http://123.765%removed%.info"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\
    shell\OpenHomePage\Command]
    "(Default)" = "%programfiles%\Internet
    Explorer\iexplore.exe http://123.765%removed%.info"
  • [HKEY_CLASSES_ROOT\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\
    shell\OpenHomePage\Command]
    "(Default)" = "%programfiles%\Internet
    Explorer\iexplore.exe http://123.765%removed%.info"
The following Registry entries are removed:
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-153485866016}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Desktop\NameSpace\{20000000-0000-0000-0000-000000000000}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
  • [HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc850}]

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It may perform the following actions:
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • collect information about the operating system used
  • send gathered information
  • update itself to a newer version
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)