Trojan.PWS.Siggen2.3788

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '949742095' = '<LS_APPDATA>\gwu.exe'

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Update

blocks the following features:

Windows Security Center

Searches for registry branches where third party applications store passwords:

[<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
[<HKCU>\Software\BPFTP]
[<HKCU>\Software\TurboFTP]
[<HKCU>\Software\Sota\FFFTP]
[<HKCU>\Software\Sota\FFFTP\Options]
[<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
[<HKCU>\Software\FTPWare\COREFTP\Sites]
[<HKCU>\Software\VanDyke\SecureFX]
[<HKCU>\Software\Cryer\WebSitePublisher]
[<HKCU>\Software\ExpanDrive\Sessions]
[<HKLM>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
[<HKCU>\SOFTWARE\NCH Software\Fling\Accounts]
[<HKLM>\SOFTWARE\NCH Software\Fling\Accounts]
[<HKCU>\Software\FTPClient\Sites]
[<HKLM>\Software\FTPClient\Sites]
[<HKCU>\Software\SoftX.org\FTPClient\Sites]
[<HKLM>\Software\SoftX.org\FTPClient\Sites]
[<HKCU>\Software\Martin Prikryl]
[<HKLM>\Software\Martin Prikryl]
[<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Options]
[<HKCU>\Software\South River Technologies\WebDrive\Connections]
[<HKCU>\Software\BPFTP\Bullet Proof FTP\Options]
[<HKCU>\Software\BPFTP\Bullet Proof FTP\Main]
[<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
[<HKCU>\Software\Ghisler\Windows Commander]
[<HKCU>\Software\Ghisler\Total Commander]
[<HKLM>\Software\Ghisler\Windows Commander]
[<HKLM>\Software\Ghisler\Total Commander]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar]
[<HKCU>\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar]
[<HKCU>\Software\FlashFXP\3]
[<HKCU>\Software\FlashFXP]
[<HKLM>\Software\FlashFXP\3]
[<HKLM>\Software\FlashFXP]
[<HKCU>\Software\FileZilla]
[<HKCU>\Software\FileZilla Client]
[<HKLM>\Software\FileZilla]
[<HKLM>\Software\FileZilla Client]
[<HKCU>\Software\BulletProof Software\BulletProof FTP Client\Main]
[<HKLM>\Software\South River Technologies\WebDrive\Connections]

Modifies file system:

Creates the following files:

%TEMP%\iil1.tmp
%TEMP%\djyy.exe
%TEMP%\iilA.tmp
%HOMEPATH%\Templates\qdiu.exe
<LS_APPDATA>\cpwv.exe
%TEMP%\iilB.tmp
%ALLUSERSPROFILE%\Application Data\nxcr.exe
%TEMP%\iilC.tmp
%TEMP%\vwgh.exe
%TEMP%\iilD.tmp
%HOMEPATH%\Templates\xvhr.exe
%TEMP%\iilE.tmp
%TEMP%\iilF.tmp
%TEMP%\iil10.tmp
<LS_APPDATA>\n88kou6fl7n8y
%ALLUSERSPROFILE%\Application Data\n88kou6fl7n8y
%ALLUSERSPROFILE%\Application Data\igne.exe
%TEMP%\n88kou6fl7n8y
%TEMP%\iil9.tmp
%HOMEPATH%\Templates\ggvg.exe
%TEMP%\iil2.tmp
%TEMP%\iil3.tmp
%TEMP%\iil4.tmp
%TEMP%\iil5.tmp
%TEMP%\iil6.tmp
%TEMP%\iil7.tmp
%TEMP%\iil8.tmp
<LS_APPDATA>\gwu.exe
<LS_APPDATA>\dxdm.exe
%ALLUSERSPROFILE%\Application Data\xoud.exe
%TEMP%\pkgy.exe
%HOMEPATH%\Templates\gajd.exe
<LS_APPDATA>\rdhi.exe
%ALLUSERSPROFILE%\Application Data\bnbu.exe
%TEMP%\iwtc.exe
<LS_APPDATA>\lxcb.exe
%HOMEPATH%\Templates\n88kou6fl7n8y

Deletes the following files:

%TEMP%\iil1.tmp
%TEMP%\iilF.tmp
%TEMP%\iilE.tmp
%TEMP%\iilD.tmp
%TEMP%\iilC.tmp
%TEMP%\iilB.tmp
%TEMP%\iilA.tmp
%TEMP%\iil10.tmp
%TEMP%\iil9.tmp
%TEMP%\iil7.tmp
%TEMP%\iil6.tmp
%TEMP%\iil5.tmp
%TEMP%\iil4.tmp
%TEMP%\iil3.tmp
%TEMP%\iil2.tmp
%TEMP%\iil8.tmp
<Full path to file>

Network activity:

Connects to:

'dy###owid.com':80
'gi####fopupygy.com':80
'bi###ebij.com':80
'ma####vadorode.com':80
'qu###ewyqa.com':80
'ko####lepehavy.com':80
'me####pulafod.com':80
'ko###inamu.com':80
'wu####litezum.com':80
'he####bufusoz.com':80
'di####mydupi.com':80
'vu###uzuxil.com':80
'ce####zugyky.com':80
'ro###ymici.com':80
'ly####fotoqy.com':80
'so###yzev.com':80
'wu###omovom.com':80
'xe####kawuhady.com':80
'so###urepu.com':80
'vo####dacyfyki.com':80
'zo###ymiz.com':80
'qa####pojewiv.com':80
'nu####jilamipu.com':80
'vu####hevixaf.com':80
'se####wytuzek.com':80
'lo###ejav.com':80
'bo####lawiqo.com':80
'vi###oxis.com':80
'co####tijixik.com':80
'xo####mevotequ.com':80

TCP:

HTTP GET requests:

http://dy###owid.com/1003000312
http://gi####fopupygy.com/1003000312
http://bi###ebij.com/1003000312
http://ma####vadorode.com/1003000312
http://qu###ewyqa.com/1003000312
http://ko####lepehavy.com/1003000312
http://me####pulafod.com/1003000312
http://ko###inamu.com/1003000312
http://wu####litezum.com/1003000312
http://he####bufusoz.com/1003000312
http://di####mydupi.com/1003000312
http://vu###uzuxil.com/1003000312
http://ce####zugyky.com/1003000312
http://ro###ymici.com/1003000312
http://ly####fotoqy.com/1003000312
http://so###yzev.com/1003000312
http://wu###omovom.com/1003000312
http://xe####kawuhady.com/1003000312
http://so###urepu.com/1003000312
http://vo####dacyfyki.com/1003000312
http://zo###ymiz.com/1003000312
http://qa####pojewiv.com/1003000312
http://nu####jilamipu.com/1003000312
http://vu####hevixaf.com/1003000312
http://se####wytuzek.com/1003000312
http://lo###ejav.com/1003000312
http://bo####lawiqo.com/1003000312
http://vi###oxis.com/1003000312
http://co####tijixik.com/1003000312
http://xo####mevotequ.com/1003000312

UDP:

DNS ASK dy###owid.com
DNS ASK gi####fopupygy.com
DNS ASK bi###ebij.com
DNS ASK ma####vadorode.com
DNS ASK qu###ewyqa.com
DNS ASK ko####lepehavy.com
DNS ASK me####pulafod.com
DNS ASK ko###inamu.com
DNS ASK wu####litezum.com
DNS ASK he####bufusoz.com
DNS ASK di####mydupi.com
DNS ASK vu###uzuxil.com
DNS ASK ce####zugyky.com
DNS ASK ro###ymici.com
DNS ASK ly####fotoqy.com
DNS ASK so###yzev.com
DNS ASK wu###omovom.com
DNS ASK xe####kawuhady.com
DNS ASK so###urepu.com
DNS ASK vo####dacyfyki.com
DNS ASK zo###ymiz.com
DNS ASK qa####pojewiv.com
DNS ASK nu####jilamipu.com
DNS ASK vu####hevixaf.com
DNS ASK se####wytuzek.com
DNS ASK lo###ejav.com
DNS ASK bo####lawiqo.com
DNS ASK vi###oxis.com
DNS ASK co####tijixik.com
DNS ASK xo####mevotequ.com

Miscellaneous:

Searches for the following windows:

ClassName: 'g' WindowName: 'mo'

Creates and executes the following:

'<LS_APPDATA>\gwu.exe' -gav <Full path to file>

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial