Trojan-Dropper.Win32.Lebag.oub

by alexander.adamov on May 7th, 2012 in Malware Descriptions.

Platform: Win32
Type: Virus
Size: 212992 bytes
Language: C++
MD5: 08C9FCE3E1EBE443B0BA1B275337F145
SHA1: E25C727262E6DC30BB1EBAB1CD55938C7329E17D

Summary

The malware is a Windows dynamic library infected by a file virus which is able to function as a backdoor program. Attackers may use the malware to steal confidential information as well as download other malicious programs onto the infected PC.

Technical Details

Installation

Once the executable code of the infected library is launched, the virus code then gets control. The virus body is decrypted and located to the file:

%WorkDir%\5l0GFMfn.exe (107664 bytes; MD5: 669CEA0C25DA441AAB9FFF6286137FC6, SHA1: 7FD814D0C6BFAB7F61B27235238A2D14D34F650D)

Then, the file is launched for execution.

Once launched, the virus body creates the following copies on the infected computer:

%Temp%\<rnd_1>.exe

%USERPROFILE%\Start Menu\Programs\Startup\<rnd_2>.exe

%APPDATA%\<rnd_3>\<rnd_2>.exe

where <rnd_1>, <rnd_2>, <rnd_3> are random sequences of the Latin alphabet letters (e.g.: "adssvwyhxpkbrjwi", "ixxxquwb", "argigunk").

The ability to save copies to the "%USERPROFILE%\Start Menu\Programs\Startup" directory ensures that the malware is automatically launched each time Windows is booted on the victim machine.

In addition, the following registry keys are created:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"<rnd_2>" = "%APPDATA%\<rnd_3>\<rnd_2>.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit" = "%System%\userinit.exe,,%APPDATA%\<rnd_3>\<rnd_2>.exe"

The copy is launched by the "WINLOGON.EXE" process even if Windows boots up in safe mode.

The copies are then launched for execution.

Payload

Once launched, the virus launches an example of the "SVCHOST.EXE" process and injects the executable code into its address space. The executable code performs the following actions:

  • Blocks booting the infected computer in safe mode by removing the registry keys in the following branches:

[HKLM\System\ControlSet001\Control\SafeBoot\Network]

[HKLM\System\ControlSet001\Control\SafeBoot\Minimal]

  • Prevents modifying the earlier created copies and autorun registry keys.
  • Some destructive features are accomplished by the driver extracted from the malware body:

%Temp%\<rnd>.sys

where <rnd> is a random sequence of the Latin alphabet letters (e.g.: "pjvftrsn").

The driver is installed on the system as a service "Micorsoft Windows Service".

  • Collects meaningful information about the user (keystroke logging, opening windows, running processes, network scheduling). Received data is encrypted and stored in files:

%APPDATA%\<rnd>.log

  • Opens the following resources to check for a connection to the Internet:

google.com

mpa.one.microsoft.com

crl.microsoft.com

  • Uses the backdoor features. To receive commands, connects to the following servers:

htmthgurhtchwlhwklf.com

ukiixagdbdkd.com

ouljuvkvn.com

jiwucjyxjibyd.com

tiqfgpaxvmhsxtk.com

cxatodxefolgkokdqy.com

khddwukkbwhfdiufhaj.com

tfgyaoingy.com

snoknwlgcwgaafbtqkt.com

swbadolov.com

ubkfgwqslhqyy.com

vrguyjjxorlyen.com

qbsqnpyyooh.com

caytmlnlrou.com

After receiving a command, the backdoor can perform the following actions:

- download files to the infected computer and launch them for execution;

- send collected data to the intruder’s server;

- block an antivirus;

- connect to the other servers to get commands.

  • Features described in the "File Infection" section are executed by the code injected to the address space of the "SVCHOST.EXE" process.

File Infection

The virus infects the files with the following extensions:

exe

dll

Infecting the executable files and Windows dynamic libraries occurs by adding the virus body at the end of the last PE-section of the target file. The program entry point is modified to allow the virus to be the first one to gain control.

Removal Recommendations

  1. Run a full scan of your computer using Ad-Aware with the updated definition database (Download Ad-Aware Free).
  2. Do not launch the EXE files and do not reboot your computer until a full scan is complete.
  3. Restore the infected files from the backup copies.
  4. Restore the registry key value (How to Work with System Registry):
  5. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

     "Userinit" = "userinit.exe"

  6. Delete the registry key (How to Work with System Registry):
  7. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

    "<rnd_2>" = "%APPDATA%\<rnd_3>\<rnd_2>.exe"

  8. Delete the following files:
  9. %WorkDir%\5l0GFMfn.exe

    %Temp%\<rnd_1>.exe

    %USERPROFILE%\Start Menu\Programs\Startup\<rnd_2>.exe

    %APPDATA%\<rnd_3>\<rnd_2>.exe

    %Temp%\<rnd>.sys

    %APPDATA%\<rnd>.log

  10. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  11. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).