Discovered: February 3, 2004
Updated: February 13, 2007 12:17:03 PM
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Hostidel.Trojan.C is executed, it performs the following actions:
- Creates the following files:
- %Windir%\Msto32.dll
- %Windir%\Svchost.exe
- %System%\Wmini.exe
- %System%\Svchosts.exe
Notes:
- %Windir% is a variable: The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- %System% is a variable: The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the %Windir%\Sysini.ini file, which contains the following text:
***Computer was success infected***
- Creates the folder %System%\Etcf.
- Adds the following value:
"Online Service"="%Windir%\svchost.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
- Adds the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Msrtur
- Logs the running processes and installed applications in %Windir%\Sysini.ini.
- Installs a keylogger, Msto32.dll, which logs information to Sysini.ini.
- Starts Svchosts.exe (Trojan.Daemonize) on a random port.
- Sends a request to http:/ /i800.ruweb.net/prx/command.php. The HTTP request contains information required to log into Trojan.Daemonize,
including the port number, IP address, and user name.
- Periodically updates itself from a file on http:/ /i800.ruweb.net and uploads Sysini.ini to an FTP server on the same site.
Writeup By: Paul Mangan
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
