BNBSFSD
10-09-2009, 05:48 AM
Virus Detail
Win32/Ertfor.AS
Date Published:
6 Oct 2009
Last Updated:
6 Oct 2009
Threat Assessment
Overall Risk: Very Low
Wild: Low
Destructiveness: Low
Pervasiveness: None Characteristics
Type : Trojan
Category : Win32
Also known as: Troj/AgtJPP-Gen (Sophos), Generic.dx!faq (McAfee), Packed.Generic.233 (Symantec), Trojan-Downloader.Win32.Agent.cpij (Kaspersky), Trojan:Win32/Ertfor.B (MS OneCare)
Description
Method of Infection
Payload
Description
Win32/Ertfor.AS is a trojan that downloads other malicious files from the Internet and installs a malicious Browser Helper Object.
Back to top
Method of Infection
When executed, Win32/Ertfor.AS drops the following files on the system:
%Temp%\cab124647DFW2S39JD.tmp
%System%\tajf83ikdmf.dll
It injects the DLL file into Explorer.exe, in an attempt to hide its presence on the affected system.
Win32/Ertfor.AS also creates the following processes on the system:
%Temp%\ueja73hkjd.exe
%Temp%\<randomname>.exe
Notes:
%Temp% is a variable that refers to the Temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ for Windows NT, Windows 2000 and Windows XP. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Payload
Contacts Web Servers
Win32/Ertfor.AS requests the following URLs from the remote web server:
http://mcsmc.org/xxx/xx.php?id=1CA307CD9B38CC2&ver=d00
http://mcsmc.org/xxx/xxx.php?id=1CA307CD9B38CC2&ver=d03
http://micronetsys.org/xxx/xxx.php?id=1CA307CD9B38CC2&ver=d03
http://mnprfix.cn/xxx/xxx.php?id=1CA307CD9B38CC2&ver=d03
Installs Malicious Browser Helper Object
By creating the following registry keys, the trojan registers the dropped DLL file as a Browser Helper Object in order to execute its DLL component at each system startup:
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\InProcServer32\(Default) = "%System%\tajf83ikdmf.dll"
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\InProcServer32\ThreadingModel = "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\(Default) = "%System%\tajf83ikdmf.dll"
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\ThreadingModel = "Apartment"
Modifies System Settings
Win32/Ertfor.AS disables the System Restore function by modifying the following registry entry:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 0x00000001
Removes Browser Helper Objects
Win32/Ertfor.AS removes an Adobe software Browser Helper Object from the affected system by deleting the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Modifies Registry Settings
The trojan modifies the following registry keys to run itself as a scheduled task on the system and as a startup service respectively:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}= "ghya673gidh87we9inkff"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\AntiSpyware Service = "%Temp%\<randomname>.exe"
Logs Keystrokes
The malicious DLL (%System%\tajf83ikdmf.dll) hook in Explorer.exe could be used to monitor keystrokes on the affected system.
Win32/Ertfor.AS
Date Published:
6 Oct 2009
Last Updated:
6 Oct 2009
Threat Assessment
Overall Risk: Very Low
Wild: Low
Destructiveness: Low
Pervasiveness: None Characteristics
Type : Trojan
Category : Win32
Also known as: Troj/AgtJPP-Gen (Sophos), Generic.dx!faq (McAfee), Packed.Generic.233 (Symantec), Trojan-Downloader.Win32.Agent.cpij (Kaspersky), Trojan:Win32/Ertfor.B (MS OneCare)
Description
Method of Infection
Payload
Description
Win32/Ertfor.AS is a trojan that downloads other malicious files from the Internet and installs a malicious Browser Helper Object.
Back to top
Method of Infection
When executed, Win32/Ertfor.AS drops the following files on the system:
%Temp%\cab124647DFW2S39JD.tmp
%System%\tajf83ikdmf.dll
It injects the DLL file into Explorer.exe, in an attempt to hide its presence on the affected system.
Win32/Ertfor.AS also creates the following processes on the system:
%Temp%\ueja73hkjd.exe
%Temp%\<randomname>.exe
Notes:
%Temp% is a variable that refers to the Temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ for Windows NT, Windows 2000 and Windows XP. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Payload
Contacts Web Servers
Win32/Ertfor.AS requests the following URLs from the remote web server:
http://mcsmc.org/xxx/xx.php?id=1CA307CD9B38CC2&ver=d00
http://mcsmc.org/xxx/xxx.php?id=1CA307CD9B38CC2&ver=d03
http://micronetsys.org/xxx/xxx.php?id=1CA307CD9B38CC2&ver=d03
http://mnprfix.cn/xxx/xxx.php?id=1CA307CD9B38CC2&ver=d03
Installs Malicious Browser Helper Object
By creating the following registry keys, the trojan registers the dropped DLL file as a Browser Helper Object in order to execute its DLL component at each system startup:
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\InProcServer32\(Default) = "%System%\tajf83ikdmf.dll"
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\InProcServer32\ThreadingModel = "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\(Default) = "%System%\tajf83ikdmf.dll"
HKLM\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\ThreadingModel = "Apartment"
Modifies System Settings
Win32/Ertfor.AS disables the System Restore function by modifying the following registry entry:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 0x00000001
Removes Browser Helper Objects
Win32/Ertfor.AS removes an Adobe software Browser Helper Object from the affected system by deleting the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Modifies Registry Settings
The trojan modifies the following registry keys to run itself as a scheduled task on the system and as a startup service respectively:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}= "ghya673gidh87we9inkff"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\AntiSpyware Service = "%Temp%\<randomname>.exe"
Logs Keystrokes
The malicious DLL (%System%\tajf83ikdmf.dll) hook in Explorer.exe could be used to monitor keystrokes on the affected system.