Detected Aug 18 2010 13:59 GMT
Released Aug 18 2010 20:24 GMT
Published Aug 20 2010 09:51 GMT
Technical Details
The malicious program intercepts the user’s requests to various sites and redirects them to a malicious URL. It also contains a tool for sending phishing messages. It propagates via e-mail and peer-to-peer networks. It is a Windows PE EXE file. The file is ~300 KB in size. It is written in C++.
Installation
When launched, the Trojan copies its executable file to the Windows system folder
It also extracts itself and creates an executable file on the hard drive which is also part of the malicious program
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable files in the following system registry autorun keys
The Trojan adds its executable file to the Windows firewall list of trusted applications
The malicious program may also create the following system registry keys in which it stores its configuration data
Payload
Once the malicious program has installed, it sends an "infection successful" message to the C&C server at the following address
It requests the victim computer’s IP address from the following site to determine its location
The malicious program then tracks the operation of the following browsers:
Internet Explorer
Opera
Google Chrome
Mozilla Firefox
If the user visits a web page with a header containing any of the following words
the program intercepts this request and redirects it to:
http://oxobla***.com/se.php?pop=1&aid=YmxhY2tvd
XQA9D8&sid=
The malicious program also tracks all search requests the user sends to any of the following search engines:
yahoo
live
msn
bing
youtobe
The search request data is sent to the following URL:
http://tetro***.com/request.php?aid=blackout&ver=25
The malicious program terminates the processes of popular IT security products and antivirus tools, including:
Kaspersky Anti-Virus
Antivirus System Tray Tool
Avira Internet Security
AntiVir PersonalEdition Classic Service
Rising Process Communication Center
It simultaneously deletes information about them from the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
It may block user requests to IT security vendors’ sites.
IT terminates the User Account Control service in Windows Vista/7:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UACDisableNotify"=dword:00000001
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"=dword:00000000
The malicious program also terminates the following services:
ERSvc - Error Reporting Service
wscsvc - Windows Security Center Service
It downloads an update from one of the following URLs:
http://simfree***.com/update.php?sd=2010-04-27&aid=blackout
http://posit***.com/update.php?sd=2010-04-27&aid=blackout
http://rts***.com/update.php?sd=2010-04-27&aid=blackout
http://qul***.com/update.php?sd=2010-04-27&aid=blackout
The new version of the malicious program is downloaded to the file C:\autoexec.exe and launched for execution. The file is then deleted.
At the time of writing this link was inactive
The malicious program also propagates using peer-to-peer networks by copying itself to the following shared folders:
%ProgramFiles%\winmx\shared\
%ProgramFiles%\tesla\files\
%ProgramFiles%\limewire\shared\
%ProgramFiles%\morpheus\my shared folder\
%ProgramFiles%\emule\incoming\
%ProgramFiles%\edonkey2000\incoming\
%ProgramFiles%\bearshare\shared\
%ProgramFiles%\grokster\my grokster\
%ProgramFiles%\icq\shared folder\
%ProgramFiles%\kazaa lite k++\my shared folder\
%ProgramFiles%\kazaa lite\my shared folder\
%ProgramFiles%\kazaa\my shared folder\
Its copies may have any of the following names:
YouTubeGet 5.6.exe
Youtube Music Downloader 1.3.exe
WinRAR v3.x keygen [by HiXem].exe
Windows2008 keygen and activator.exe
[+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
Windows Password Cracker + Elar3 key.exe
[Eni0j0 team] Windows 7 Ultimate keygen.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
Website Hacker.exe
[Eni0j0 team] Vmvare keygen.exe
VmWare 7.x keygen.exe
UT 2003 KeyGen.exe
Twitter FriendAdder 2.3.9.exe
Tuneup Ultilities 2010.exe
[antihack tool] Trojan Killer v2.9.4173.exe
Total Commander7 license+keygen.exe
Super Utilities Pro 2009 11.0.exe
Sub7 2.5.1 Private.exe
Sophos antivirus updater bypass.exe
sdbot with NetBIOS Spread.exe
[fixed]RapidShare Killer AIO 2010.exe
Rapidshare Auto Downloader 3.8.6.exe
Power ISO v4.4 + keygen milon.exe
[patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
[patched, serial not needed] PDF to Word Converter 3.4.exe
PDF password remover (works with all acrobat reader).exe
Password Cracker.exe
Norton Internet Security 2010 crack.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Norton Anti-Virus 2005 Enterprise Crack.exe
NetBIOS Hacker.exe
NetBIOS Cracker.exe
[patched, serial not need] Nero 9.x keygen.exe
Myspace theme collection.exe
MSN Password Cracker.exe
Mp3 Splitter and Joiner Pro v3.48.exe
Motorola, nokia, ericsson mobil phone tools.exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
Microsoft Visual Studio KeyGen.exe
Microsoft Visual C++ KeyGen.exe
Microsoft Visual Basic KeyGen.exe
McAfee Total Protection 2010 [serial patch by AnalGin].exe
Magic Video Converter 8.exe
LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
L0pht 4.0 Windows Password Cracker.exe
K-Lite Mega Codec v5.2 Portable.exe
K-Lite Mega Codec v5.2.exe
Keylogger unique builder.exe
Kaspersky Internet Security 2010 keygen.exe
Kaspersky AntiVirus 2010 crack.exe
IP Nuker.exe
Internet Download Manager V5.exe
Image Size Reducer Pro v1.0.1.exe
ICQ Hacker Trial version [brute].exe
Hotmail Hacker [Brute method].exe
Hotmail Cracker [Brute method].exe
Half-Life 2 Downloader.exe
Grand Theft Auto IV [Offline Activation + mouse patch].exe
Google SketchUp 7.1 Pro.exe
G-Force Platinum v3.7.6.exe
FTP Cracker.exe
DVD Tools Nero 10.x.x.x.exe
Download Boost 2.0.exe
Download Accelerator Plus v9.2.exe
Divx Pro 7.x version Keymaker.exe
DivX 5.x Pro KeyGen generator.exe
DCOM Exploit archive.exe
Daemon Tools Pro 4.8.exe
Counter-Strike Serial key generator [Miona patch].exe
CleanMyPC Registry Cleaner v6.02.exe
Brutus FTP Cracker.exe
etc...........................
nice article................
ReplyDelete