McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

NTRootkit-H is a generic detection for trojans that exhibits stealth behavior and could be connecting to remote sites.

This trojan arrives as a file downloaded from a certain URL, and it may be installed by Spy-Agent.bw or other trojans. It attempts to steal sensitive online banking information and to send them back to the remote site via http post.

Characteristics

Infection

This trojan arrives as a file downloaded from the following Web site:
http://{removed}dalqik.ru/offshore/denis.exe

Installation and Autostart

Upon execution, this trojan drops a copy of itself in the system folder as ntos.exe. It then appends extra codes at the end of file of the dropped copy to avoid easy detection.

It modifies the following registry entry to enable its automatic execution at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = "%System%\Userinit.exe,%System%\ntos.exe,"

(Note: The default value data of the above registry entry is %System%\Userinit.exe,. %System% is the Windows system folder, which is usually C:\WINNT\System32 or C:\Windows\System32.)

It also creates the following registry entries as part of its installation routine:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
  UID: "{computer name}_{random numbers}"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{60A8C15A-6EAE-3FE9-357B-96DB4F66803C
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  EnableFirewall: 0x00000000

This trojan also creates remote threads to inject itself into the legitimate processes (winlogon.exe and svchost.exe) to stay memory resident and installs the following API hooks to hide files and monitor system behaviors:

IAT hooks:

• ntdll.dll!NtQueryDirectoryFile
• ntdll.dll!LdrLoadDll
• ntdll.dll!LdrGetProcedureAddress
• ntdll.dll!NtCreateThread
• USER32.dll!TranslateMessage
• USER32.dll!GetClipboardData

This trojan creates the folder %System%\wsnpoem with its attributes set to System and Hidden to prevent users from discovering and removing its components. It then drops the following non malicious files in the created folder:

• audio.dll - the configuration file
• video.dll - the stolen information

Information Theft

This trojan downloads the encrypted configuration file denis.bin from the following Web site, and it saves this configuration file as %System%\wnspoem\audio.dll:

http://{removed}dalqik.ru/offshore/denis.bin

Once decrypted, the downloaded configuration file contains the banking-related URL which this trojan monitors in Internet browser address bars. Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once the user accesses any of the targeted Web site, this trojan logs keystrokes.

This trojan attempts to steal sensitive online banking information. When a user attempts to access the monitored sites in the configuration file, this trojan captures user input, specifically those entered in the boxes designed for user names and passwords, and saves it in the file %System%\wsnpoem\video.dll.

This trojan sends the file %System%\wsnpoem\video.dll to the following remote site via http post:

http://{removed}dalqik.ru/offshore/denis.php

Other behaviours:

This trojan was also found to download other executable file (rix.exe) from the following website:
http://{removed}rules.ru

Symptoms

Presence of previously mentioned files and registry keys/values.
Presence of previously mentioned API hooks.
Presence of previously mentioned network accesses.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Use the latest Engine/Dats

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

NTRootkit-H is a generic detection for trojans that exhibits stealth behavior and could be connecting to remote sites.

This trojan arrives as a file downloaded from a certain URL, and it may be installed by Spy-Agent.bw or other trojans. It attempts to steal sensitive online banking information and to send them back to the remote site via http post.

Characteristics

Characteristics -

Infection

This trojan arrives as a file downloaded from the following Web site:
http://{removed}dalqik.ru/offshore/denis.exe

Installation and Autostart

Upon execution, this trojan drops a copy of itself in the system folder as ntos.exe. It then appends extra codes at the end of file of the dropped copy to avoid easy detection.

It modifies the following registry entry to enable its automatic execution at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = "%System%\Userinit.exe,%System%\ntos.exe,"

(Note: The default value data of the above registry entry is %System%\Userinit.exe,. %System% is the Windows system folder, which is usually C:\WINNT\System32 or C:\Windows\System32.)

It also creates the following registry entries as part of its installation routine:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
  UID: "{computer name}_{random numbers}"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{60A8C15A-6EAE-3FE9-357B-96DB4F66803C
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  EnableFirewall: 0x00000000

This trojan also creates remote threads to inject itself into the legitimate processes (winlogon.exe and svchost.exe) to stay memory resident and installs the following API hooks to hide files and monitor system behaviors:

IAT hooks:

• ntdll.dll!NtQueryDirectoryFile
• ntdll.dll!LdrLoadDll
• ntdll.dll!LdrGetProcedureAddress
• ntdll.dll!NtCreateThread
• USER32.dll!TranslateMessage
• USER32.dll!GetClipboardData

This trojan creates the folder %System%\wsnpoem with its attributes set to System and Hidden to prevent users from discovering and removing its components. It then drops the following non malicious files in the created folder:

• audio.dll - the configuration file
• video.dll - the stolen information

Information Theft

This trojan downloads the encrypted configuration file denis.bin from the following Web site, and it saves this configuration file as %System%\wnspoem\audio.dll:

http://{removed}dalqik.ru/offshore/denis.bin

Once decrypted, the downloaded configuration file contains the banking-related URL which this trojan monitors in Internet browser address bars. Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once the user accesses any of the targeted Web site, this trojan logs keystrokes.

This trojan attempts to steal sensitive online banking information. When a user attempts to access the monitored sites in the configuration file, this trojan captures user input, specifically those entered in the boxes designed for user names and passwords, and saves it in the file %System%\wsnpoem\video.dll.

This trojan sends the file %System%\wsnpoem\video.dll to the following remote site via http post:

http://{removed}dalqik.ru/offshore/denis.php

Other behaviours:

This trojan was also found to download other executable file (rix.exe) from the following website:
http://{removed}rules.ru

Symptoms

Symptoms -

Presence of previously mentioned files and registry keys/values.
Presence of previously mentioned API hooks.
Presence of previously mentioned network accesses.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

Use the latest Engine/Dats

Variants

Variants -

N/A