Trojan.Optimizer.B
Trojan.Optimizer.BSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References: CVE-2003-0111, CVE-2005-4560, CVE-2006-0005, CVE-2006-3866, CVE-2006-4868, CVE-2006-6121
Trojan.Linkoptimizer.B is a generic detection for a family of Trojan horse programs that download dialer components, display pop-up advertisements and attempt to prevent removal by blocking security-related applications.
It has been reported that variants of Trojan.Linkoptimizer.B may be installed by visiting several different malicious Web sites while making legitimate searches on some popular search engines.
The initial domains returned by search engines may redirect users to other .com domains with random names which host different browser exploits.
Variants of Trojan.Linkoptimizer.B are installed by exploiting browser vulnerabilities including the following:
Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (Security Focus Bugtraq ID 6221)
Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (Security Focus Bugtraq ID 16644)
Microsoft WMF Remote Code Execution Vulnerability (Security Focus Bugtraq ID 16074).
Microsoft Internet Explorer VML Remote Code Execution Vulnerability (Security Focus Bugtraq ID 20096).
Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability (Security Focus Bugtraq ID 21207)
NOTE: At the time of writing, it has been reported that the installation of Trojan.Linkoptimizer.B and its variants works only for users with Italian IP addresses.
The exploits drop an executable file in the following folder:
%Temp%\[RANDOM NAME1].exe
Once executed, the variants of Trojan.Linkoptimizer.B create the following mutexes to ensure that only one copy of the threat is running on the compromised computer:
_x_mgr_
_x_hlp_
The variants may check to see if a modem is installed on the compromised computer by retrieving the Remote Access devices and checking for the presence of one of the following strings, terminating if none are not found:
modem
isdn
It may create the following registry entries so that the threat will be executed everytime Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[8 RANDOM LETTERS].[EXT]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[FIXPART1][FIXPART2].exe"
NOTE: The security permissions of these keys are modified so that Administrator users will not be able to remove or change them.
The variants reportedly may create some of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
It may create some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ShockPlayer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\[5 RANDOM LETTERS]
The Trojan variants attempt to resolve the following domain:
aondskwje.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The variants may try to download the following encrypted file:
[http://]196.238.242.23/view/logo[REMOVED]
csr
ctf
drv
dsk
hlp
lsa
man
mod
mon
net
sql
srv
svc
sys
tsk
upd
win
While copying itself into %System% folder, the variant appends itself to a variable amount of
random data and patches the security permissions of the file. It then locks the file so that the malicious file cannot be accessed, deleted or renamed.
If the operating System is Windows XP, 2000 or 2003 the variants may start the
Task Scheduler service and add the following task in order to run when Windows starts:
Run: %System%\[FIXED_STRING][5 RANDOM LETTERS].exe
Run as: NT AUTHORITY\System
Schedule: At System Startup
The task is saved in the following file and has the security permissions set to prevent removal.
%Windir%\Tasks\[5 RANDOM LETTERS].job
Next, the Trojan variants attempt to resolve one of the following domains:
itqoipyqsq.com
addwjf6zoy.com
c5ehm8fp.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The Trojan variant tries to download the following encrypted file:
[http://]85.255.115.133/styles/deskt[REMOVED]
NOTE: At the time of writing the file is downloaded only if the compromised machine has an Italian IP address. It has been observed that non-Italian IP addresses get a 500 error message from the remote Web server.
The downloaded file may install multiple dialer components that will dial high-cost numbers.
The Trojan.Linkoptimizer.B variant checks for the presence of debuggers or monitoring tools. It will not run on computers running on VMWare environment or with any of the following drivers active:
SIWVIDSTART - Numega SoftICE Debugger
FILEMON - Sysinternals Filemon
REGMON - Sysinternals Regmon
PROCMON - Sysinternals Procmon
It may inject a thread into EXPLORER.EXE that attempts to terminate any program which has the following text in window title:
antidialer
avenger
avz antiviral
catchme
ccleaner
dumphive
gmer
hardware upgrade forum
hijackthis
listdlls
p2p forum italia
pjf(ustc)
restore ssdt
runalyzer
silent runners
suspectfile
swreg
Systemscan
unhook selected
unlockerassistant
It may create a copy of itself with one the following names:
%System%\[8 RANDOM LETTERS].[EXT]
%System%\[FIXPART1][FIXPART2].exe
[EXT] is one of the following strings:
bak
dat
log
old
tmp
txt
ver
[FIXPART1] is one of the following strings:
admin
auto
boot
cfg
chat
defrag
demo
dump
edit
key
note
office
power
reg
run
set
sys
sys32
System
task
video
win
win32
[FIXPART2] is one of the following strings:
audit
backup
cache
check
clean
config
control
debug
event
find
info
init
load
lookup
mode
notify
setup
stat
tray
viewer
wizard
Variants of Trojan.Linkoptimizer.B have XML configuration data that can be updated from a remote site and allows the variant to download or install multiple dialer components. The configuration data that can be updated includes high cost numbers to dial with the following prefixes:
899
00881
The variant will also use the updated configuration data to contact one of the following URLs:
[http://]www.webcont.net/CONTENTS/adul[REMOVED]
[http://]www.keycont.net/CONTENTS/audl[REMOVED]
Updated configuration data will also include valid account information for the URLs dialed.
Writeup By: Elia Florio
<< Home