Trojan-Spy.Win32.Batton.rk

From Total Malware Info

Trojan-Spy spies upon user's activity and steals confidential user information. It is Windows DLL (PE DLL-file). It is 120359 in size. It is written in C++.

md5: D6AB8A0510BB02E4FC7500F9512355E2

sha1: 8E8417D3E5D0CE07A3CAE68D61E761CB86C66E33

Payload

This malware dll is used as a component of other malicious programs. The basic functionality is to provide an attacker with a remote access to a user’s computer and hiding its presence on a user's computer.

Once launched the library extracts from its body the driver:

%System%\_amdevntas.sys
(MD5: 72553ce6060c2d10eaf432b9f60ae511)

The file is 34816 bytes and detected by Kaspersky Antivirus as Rootkit.Win32.AntiAv.bq.

To run the extracted file the trojan creates and runs the service:

PDCOMP

At the same time adding information to the registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\PDCOMP]
"ErrorControl" = "0"
"ImagePath" = "%System%\_amdevntas.sys"
"Start" = "3"
"Type" = 1

After the successful launch it removes the option "ImagePath" in the created registry key.

This driver performs the following actions:

1. Removes hooks installed in SSDT handle table to counteract protective and antiviral mechanisms in the system.

2. Hides its registry key by installing a hook on the function "HHIVE:: GetCellRoutine"

3. Hides files with the substring "amdevnta" by installing a hook on the function "IRP_MJ_DIRECTORY_CONTROL" in \FileSystem\Ntfs.

4. Hides its online activity by installing a hook on the function "IRP_MJ_DEVICE_CONTROL" in \Device\TCP.

5. Blocks obtaining a list of libraries loaded into a malicious process by installing a hook on function "ObReferenceObjectByHandle" to counteract protective and antiviral mechanisms.

6. Terminates processes with the following substrings:

ekrn
nod32
Scanner
avp
scan32
360
ScanFrm
ccSvcHst
avscan
xnlscn
V3Medic
AhnSD
Avast
Rtvscan
avg
uiscan
mcshield
Spider

7. Counteracts antivirus solutions by "ESTsoft" and "Doctor Web".

The trojan connects to a server of an attacker to provide a backdoor functional:

xiaonong.m****.com:80

Malicious library can perform the following steps, depending on the commands received from the attacker:

• Interception of keys pressed by a user on a keyboard, received data is stored in the following file:

%CurrentDir%\syslog.dat

• Blocking keys pressed by the user on a keyboard (keys or combination of keys are blocked specified by an attacker, for example, "Ctrl + Alt + Del" - the Task Manager call);
• Emulating keystrokes;
• Downloading and running other malicious files from addresses specified by an attacker (including the dll which can be used to download an updated version of the malware);
• Opening Internet resources specified by an attacker using Internet Explorer (request to resources can be hidden, or, vice versa, - displayed to a user);
• Installing services and records to run them automatically in the following registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\<Service Name>]

<Service Name> - a service name, it is passed to the library as a parameter when calling a function within the library.

• Establishing a connection to the attacker's server, where IP-address and port are specified in a function call;
• Changing a port number or IP-address to communicate with an attacker;
• Saving and sending images from webcams and audio from a user's microphone to an attacker;
• File Management (getting a list of files, sending files to an attacker, deleting and creating files and folders, renaming, data on file, covert or displayed to a user files opening, files changing)
• Getting a list of processes;
• Management of processes (tracking the names of processes, terminating processes);
• Stealing passwords for dial-up connections;
• Getting a list of windows on a user's computer;
• Executing commands from the command line;
• Passing an attacker information about a user's computer (information about a processor, a version of operating system, a list of logical drives);
• Managing services (stop, start, delete, create, check availability, get information about the services, change startup parameters). The library also can change the executable service file by changing the following registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\<Service Name>]

In addition, the library allows an attacker to send pictures of a user's desktop and receive commands from it to manipulate a mouse, thereby implementing a RAT functional (Remote Administration Tool);

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Perform a full system scan with an antivirus with updated databases.