Trojan.Win32.Qhost.mme
From Total Malware Info
|
Trojan.Win32.Qhost.mme
|
|
|
Last edited: |
7.8.2011 |
It is a trojan program that performs destructive actions on a user's computer. It is a Windows application (PE-EXE file). Its size is 134,359 bytes. It is packed with an unknown packer. Unpacked size is about 446 KB. It is written in Delphi.
md5: 895A62F1F95FDE6B01810A7740549AAD
sha1: 598B0B98FA25902AE5434AE57127B8294868DD83
Contents |
Installation
Once launched, the trojan copies its body to the following files:
%System%\Default.scr %System%\config\lsass.exe %System%\config\Cache\Dasktop.ini
The trojan sets "hidden" attribute for the copy "lsass.exe".
In order to start automatically each time you start the system, the trojan creates the links to its executable files in the system registry:
[HKCU\Control Panel\Desktop] "SCRNSAVE.EXE" = "%System%\Default.scr" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Intel Audio Driver" = "%System%\config\lsass.exe"
Payload
In order to counteract to monitoring and debugging tools, the trojan search for the following window classes:
OLLYDBG FileMonClass
and devices:
\\.\SICE \\.\SIWVID \\.\NTICE \\.\REGSYS \\.\REGVXG \\.\FILEVXG \\.\FILEM \\.\TRW \\.\ICEEXT
It creates a unique identifier with the following name to control uniqueness of its process:
WOG_M
It blocks booting of a system in "Safe mode" by removing the following registry branches:
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network] [HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
It turns off notifications of the Windows Security Center by setting the following parameters in the system registry:
[HKLM\SOFTWARE\Microsoft\Security Center] "FirewallDisableNotify" = "1" "FirewallOverride" = "1"
It disables the "Folder Options" item in Windows Explorer:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run] "NoFolderoptions" = "1"
It disables the System Restore:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DisableSR" = "1" [HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore] "DisableSR" = "1"
Launching of the following programs for the current user will be prohibited:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun] 0 = "avp.exe" 1 = "avz.exe" 2 = "autoruns.exe" 3 = "outpost.exe" 4 = "spidernt.exe" 5 = "SpyDerAgent.exe" 6 = "dwengine.exe" 7 = "spiderui.exe" 8 = "acs.exe" 9 = "op_mon.exe" 10 = "klnagent.exe" 11 = "egui.exe" 12 = "sched.exe" 13 = "avgnt.exe" 14 = "avguard.exe" 15 = "guardgui.exe"
It disables the Windows Firewall:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile] "DisableNotifications" = "1" "DoNotAllowExceptions" = "0" "EnableFirewall" = "0"
It turns on the launching of screensaver and sets the time of its launch:
[HKCU\Control Panel\Desktop] "ScreenSaveActive" = "1" "ScreenSaveTimeOut" = "100"
The binary file of screensaver is a copy of the trojan.
It sets the low level of Windows security policy for files with the extensions "exe", "bat", "reg" and "scr" for the purpose of disabling a security messages during opening a file from the "untrusted" source:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations] LowRiskFileTypes = ".Exe;.Bat;.Reg;.Scr;" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments] SaveZoneInformation = "1"
The trojan modifies the files:
%System%\drivers\etc\hosts %System%\dllcache\hosts
appending to them the following lines:
127.0.0.1 localhost 174.133.168.212 www.viruslist.com 174.133.168.212 www.kaspersky.ru 174.133.168.212 www.kaspersky.com 174.133.168.212 www.securelist.com 174.133.168.212 z-oleg.com 174.133.168.212 www.trendsecure.com 174.133.168.212 ftp.drweb.com 174.133.168.212 virusinfo.info 174.133.168.212 www.viruslab.ru 174.133.168.212 www.novirus.ru 174.133.168.212 online.drweb.com 174.133.168.212 www.informyx.ru 174.133.168.212 vms.drweb.com 174.133.168.212 stopvirus.ru 174.133.168.212 www.esetnod32.ru 174.133.168.212 devbuilds.kaspersky-labs.com 174.133.168.212 www.agnitum.ru 174.133.168.212 www.drweb.com 174.133.168.212 www.avirus.ru 174.133.168.212 dnl-00.geo.kaspersky.com 174.133.168.212 dnl-01.geo.kaspersky.com 174.133.168.212 dnl-02.geo.kaspersky.com 174.133.168.212 dnl-03.geo.kaspersky.com 174.133.168.212 dnl-04.geo.kaspersky.com 174.133.168.212 dnl-05.geo.kaspersky.com 174.133.168.212 dnl-06.geo.kaspersky.com 174.133.168.212 dnl-07.geo.kaspersky.com 174.133.168.212 dnl-08.geo.kaspersky.com 174.133.168.212 dnl-09.geo.kaspersky.com 174.133.168.212 dnl-10.geo.kaspersky.com 174.133.168.212 dnl-11.geo.kaspersky.com 174.133.168.212 dnl-12.geo.kaspersky.com 174.133.168.212 dnl-13.geo.kaspersky.com 174.133.168.212 dnl-14.geo.kaspersky.com 174.133.168.212 dnl-15.geo.kaspersky.com 174.133.168.212 dnl-16.geo.kaspersky.com 174.133.168.212 dnl-17.geo.kaspersky.com 174.133.168.212 dnl-18.geo.kaspersky.com 174.133.168.212 dnl-19.geo.kaspersky.com 174.133.168.212 dnl-20.geo.kaspersky.com 174.133.168.212 downloads1.kaspersky-labs.com 174.133.168.212 downloads2.kaspersky-labs.com 174.133.168.212 downloads3.kaspersky-labs.com 174.133.168.212 downloads4.kaspersky-labs.com 174.133.168.212 downloads5.kaspersky-labs.com 174.133.168.212 msk1.drweb.com 174.133.168.212 msk2.drweb.com 174.133.168.212 msk3.drweb.com 174.133.168.212 msk4.drweb.com 174.133.168.212 msk5.drweb.com 174.133.168.212 download.eset.com 174.133.168.212 u40.eset.com 174.133.168.212 u41.eset.com 174.133.168.212 u42.eset.com 174.133.168.212 u43.eset.com 174.133.168.212 u44.eset.com 174.133.168.212 u45.eset.com 174.133.168.212 u46.eset.com 174.133.168.212 u47.eset.com 174.133.168.212 u48.eset.com 174.133.168.212 u49.eset.com 174.133.168.212 u50.eset.com 174.133.168.212 u51.eset.com 174.133.168.212 u52.eset.com 174.133.168.212 u53.eset.com 174.133.168.212 u54.eset.com 174.133.168.212 u55.eset.com 174.133.168.212 u56.eset.com 174.133.168.212 u57.eset.com 174.133.168.212 u58.eset.com 174.133.168.212 u59.eset.com 174.133.168.212 um10.eset.com 174.133.168.212 um11.eset.com 174.133.168.212 um12.eset.com 174.133.168.212 um13.eset.com 174.133.168.212 um14.eset.com 174.133.168.212 um15.eset.com 174.133.168.212 um16.eset.com 174.133.168.212 um17.eset.com 174.133.168.212 um18.eset.com 174.133.168.212 um19.eset.com
The trojan reads a path to the hosts file from the registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DataBasePath"
Thus, when you try to access those resources the user will be redirected to:
174.133.168.212
After this, the trojan terminates.
In addition, the trojan disables the display of hidden and system files/directories, as well as display the extensions for registered file types in Windows Explorer. For this purpose it changes the values of the following registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "0" "ShowSuperHidden" = "0" "HideFileExt" = "1"
It terminates the following processes:
procexp.exe procmon.exe autoruns.exe KillProcess.exe PrcInfo.exe filemon.exe regmon.exe msconfig.exe HiJackThis.exe avz.exe phunter.exe UnlockerAssistant.exe Unlocker.exe regedit.exe servise.exe OS.exe Prcview.exe TaskInfo.exe egui.exe sysinspector.exe klnagent.exe
It looking for the windows with the following class names:
PROCEXPL PROCMON_WINDOW_CLASS Autoruns AVP.MainWindow AnVirMainFrame and the titles of windows: avast! Antivirus Setup Display Properties AVZ antivirus utility Avira AntiVir Personal - Free Antivirus Dr.Web Security Space 5.0 - InstallShield Wizard
Then it identify processes that own these windows and terminates them.
It checks the header of an active window, if it coincides with the following, the trojan will define a process that owns this window and terminate it:
avast! Antivirus Setup Свойства: Экран Антивирусная утилита AVZ Avira AntiVir Personal - Free Antivirus Dr.Web Security Space 5.0 - InstallShield Wizard
Also, there is 7 audio fragments in the trojan's resources. These fragments is played during pressing the keys:
ENTER BACKSPACE TAB ESC DEL CAPS LOCK SPACE
Spread Through Removable Devices and Network Resources
The trojan сopies its executable file to all writable removable drives connected to the victim's computer:
<the infected partition's name>:\<rnd>.scr
Also the script "Autorun.inf" is created in the root directory of an infected disk:
<the infected partition's name>:\Autorun.inf
<rnd> - random sequence of numbers, for example, "47602". It provides for a copy to run each time a user opens an infected removable disk using "Explorer".
In addition, the worm applies the "hidden" attribute to all directories in the root of an infected removable disk. After that the worm creates copies of its executable on this disk under hidden directories' names.
The trojan copies its body to the available network resources by one of the following names:
XXX.scr Games.scr Фотки.scr Порно.scr Музыка.scr Не удалять!!!.scr Новое.scr Свежак.scr это я)).scr Книжки.scr Антивирусы.scr Новая папка.scr сталкер.scr каспер.scr жесть.scr
Also, the trojan searches for exe files on available network resources. All found files will be renamed to
zw<the original file name>.exe
And the attribute "hidden" will be applied to these files.
Then it creates a copy of its body under the found files' names:
<the original file name>.exe
It also creates shortcuts:
<the original file name>.lnk
for the purpose of launching the trojan copies:
%WindDir%\system32\RunDll32.exe shell32.dll,ShellExec_RunDLL".\<the original file name>.exe"
Removal Instructions
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
1. Use the Task Manager to determine the PID of the trojan process:
lsass.exe
The trojan process is running on behalf of the current user.
2. Run the command:
taskkill /pid <PID of the trojan protsess>
3. Delete the following files:
%System%\Default.scr %System%\config\lsass.exe %System%\config\Cache\Dasktop.ini
4. Delete the system registry keys:
[HKCU\Control Panel\Desktop] "SCRNSAVE.EXE" = "%System%\Default.scr" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Intel Audio Driver" = "%System%\config\lsass.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun] 0 = "avp.exe" 1 = "avz.exe" 2 = "autoruns.exe" 3 = "outpost.exe" 4 = "spidernt.exe" 5 = "SpyDerAgent.exe" 6 = "dwengine.exe" 7 = "spiderui.exe" 8 = "acs.exe" 9 = "op_mon.exe" 10 = "klnagent.exe" 11 = "egui.exe" 12 = "sched.exe" 13 = "avgnt.exe" 14 = "avguard.exe" 15 = "guardgui.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations] LowRiskFileTypes = ".exe;.bat;.reg;.scr;" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments] SaveZoneInformation = "1"
5. If necessary, restore the values of the following system registry keys:
[HKLM\SOFTWARE\Microsoft\Security Center] "FirewallDisableNotify" = "1" "FirewallOverride" = "1" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoFolderoptions" = "1" [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = "1" [HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore] "DisableSR" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun" = "1" [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile] "DisableNotifications" = "1" "DoNotAllowExceptions" = "0" "enableFirewall" = "0" [HKCU\Control Panel\Desktop] "ScreenSaveActive" = "1" "ScreenSaveTimeOut" = "100" [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "0" "ShowSuperHidden" = "0" "HideFileExt" = "1"
6. Restore the original contents of the files:
%System%\drivers\etc\hosts %System%\dllcache\hosts
7. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
8. Perform a full system scan with an antivirus with updated databases.
You can order a description for any computer malware, virus, trojan or worm.
