Trojan.Ecure.C

Risk Level 1: Very Low

Printer Friendly Page

Discovered: July 7, 2004

Updated: July 7, 2004 9:57:55 AM

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

Trojan.Ecure.C modifies the Hosts file and Internet Explorer home page so that a compromised system is redirected to predetermined hosts.

When the trojan is executed, it creates the following file, %Windows%\secure.html.

The trojan then alters the Hosts file so that any traffic going to the following URLs is redirected to the local computer:
127.0.0.1 ruworld.com
127.0.0.1 maxxxhosters.com
127.0.0.1 therealsearch.com
127.0.0.1 thumbest-traffic.com
127.0.0.1 600pics.com
127.0.0.1 tonser.4-counter.com
127.0.0.1 free.sinpussy.com
127.0.0.1 hightcalldialer.com
127.0.0.1 bestpornnews.com
127.0.0.1 thumberland.com
127.0.0.1 greg-search.com
127.0.0.1 connect.online-dialer.com
127.0.0.1 0190-dialer.com
127.0.0.1 approvedlinks.com
127.0.0.1 download.buxomatic.com
127.0.0.1 dia.4-counter.com
127.0.0.1 vse-moe.biz
127.0.0.1 crue.global-counter.com
127.0.0.1 line-plus.com
127.0.0.1 porno-links.biz
127.0.0.1 download.tntdialer.com
127.0.0.1 freelivesex.org
127.0.0.1 free3xmatures.com
127.0.0.1 bestpics.net
127.0.0.1 dikai.com
127.0.0.1 world-search.biz
127.0.0.1 1-se.com
127.0.0.1 58q.com
127.0.0.1 aifind.cc
127.0.0.1 aifind.info
127.0.0.1 allneedsearch.com
127.0.0.1 auto.ie.searchforge.com
127.0.0.1 awebfind.biz
127.0.0.1 best.royalsearch.net
127.0.0.1 cracks.am
127.0.0.1 default-homepage-network.com
127.0.0.1 find.microgirls.com
127.0.0.1 find4u.net
127.0.0.1 freshvideogals.com
127.0.0.1 i-lookup.com
127.0.0.1 ie-search.com
127.0.0.1 in.webcounter.cc
127.0.0.1 itseasy.us
127.0.0.1 just.find-itnow.com
127.0.0.1 link.startmake.com
127.0.0.1 mysearchnow.com
127.0.0.1 nativehardcore.com
127.0.0.1 qwertysearch123.biz
127.0.0.1 search.ieplugin.com
127.0.0.1 search.psn.cn
127.0.0.1 searchbar.findthewebsiteyouneed.com
127.0.0.1 searchcentrix.com
127.0.0.1 searchmyrequest.com
127.0.0.1 super-spider.com
127.0.0.1 t.rack.cc
127.0.0.1 teen-biz.com
127.0.0.1 teenhqpics.com
127.0.0.1 tits.hardcore4ever.net
127.0.0.1 webcoolsearch.com
127.0.0.1 wmmse.com
127.0.0.1 008i.com
127.0.0.1 2fastsearch.net
127.0.0.1 8095.com
127.0.0.1 alfa-search.com
127.0.0.1 boredlife.com
127.0.0.1 couldnotfind.com
127.0.0.1 cracks.am
127.0.0.1 daum.net
127.0.0.1 dreamwiz.com
127.0.0.1 find-itnow.com
127.0.0.1 find4u.net
127.0.0.1 firstbookmark.com
127.0.0.1 gajai.com
127.0.0.1 hand-book.com
127.0.0.1 hao123.com
127.0.0.1 hotsearchbox.com
127.0.0.1 hotwebsearch.com
127.0.0.1 hugesearch.net
127.0.0.1 iquicksearch.com
127.0.0.1 lookfor.cc
127.0.0.1 naver.com
127.0.0.1 nkvd.us
127.0.0.1 novafuck.com
127.0.0.1 ohcorea.com
127.0.0.1 omega-search.com
127.0.0.1 onet.pl
127.0.0.1 power-search.info
127.0.0.1 rightfinder.net
127.0.0.1 search-1.net
127.0.0.1 search-and-go.com
127.0.0.1 search-dot.com
127.0.0.1 search-space.com
127.0.0.1 searchforge.com
127.0.0.1 searching-the-net.com
127.0.0.1 searchv.com
127.0.0.1 searchxl.com
127.0.0.1 seznam.cz
127.0.0.1 slotch.com
127.0.0.1 spidersearch.com
127.0.0.1 startium.com
127.0.0.1 ttjj.com
127.0.0.1 viewpornkey.com
127.0.0.1 wazzupnet.com
127.0.0.1 websearch.com
127.0.0.1 windowws.cc
127.0.0.1 xgmm.com
127.0.0.1 xwebsearch.biz
127.0.0.1 yourbookmarks.ws
127.0.0.1 collections.inhost.info
127.0.0.1 collections.inhost2.info
127.0.0.1 www.ruworld.com
127.0.0.1 www.maxxxhosters.com
127.0.0.1 www.therealsearch.com
127.0.0.1 www.thumbest-traffic.com
127.0.0.1 www.600pics.com
127.0.0.1 www.hightcalldialer.com
127.0.0.1 www.bestpornnews.com
127.0.0.1 www.thumberland.com
127.0.0.1 www.greg-search.com
127.0.0.1 www.0190-dialer.com
127.0.0.1 www.approvedlinks.com
127.0.0.1 www.vse-moe.biz
127.0.0.1 www.line-plus.com
127.0.0.1 www.porno-links.biz
127.0.0.1 www.freelivesex.org
127.0.0.1 www.free3xmatures.com
127.0.0.1 www.bestpics.net
127.0.0.1 www.dikai.com
127.0.0.1 www.world-search.biz
127.0.0.1 www.1-se.com
127.0.0.1 www.58q.com
127.0.0.1 www.aifind.cc
127.0.0.1 www.aifind.info
127.0.0.1 www.allneedsearch.com
127.0.0.1 www.awebfind.biz
127.0.0.1 www.cracks.am
127.0.0.1 www.default-homepage-network.com
127.0.0.1 www.find4u.net
127.0.0.1 www.freshvideogals.com
127.0.0.1 www.i-lookup.com
127.0.0.1 www.ie-search.com
127.0.0.1 www.itseasy.us
127.0.0.1 www.mysearchnow.com
127.0.0.1 www.nativehardcore.com
127.0.0.1 www.qwertysearch123.biz
127.0.0.1 www.searchcentrix.com
127.0.0.1 www.searchmyrequest.com
127.0.0.1 www.super-spider.com
127.0.0.1 www.teen-biz.com
127.0.0.1 www.teenhqpics.com
127.0.0.1 www.webcoolsearch.com
127.0.0.1 www.wmmse.com
127.0.0.1 www.008i.com
127.0.0.1 www.2fastsearch.net
127.0.0.1 www.8095.com
127.0.0.1 www.alfa-search.com
127.0.0.1 www.boredlife.com
127.0.0.1 www.couldnotfind.com
127.0.0.1 www.cracks.am
127.0.0.1 www.daum.net
127.0.0.1 www.dreamwiz.com
127.0.0.1 www.find-itnow.com
127.0.0.1 www.find4u.net
127.0.0.1 www.firstbookmark.com
127.0.0.1 www.gajai.com
127.0.0.1 www.hand-book.com
127.0.0.1 www.hao123.com
127.0.0.1 www.hotsearchbox.com
127.0.0.1 www.hotwebsearch.com
127.0.0.1 www.hugesearch.net
127.0.0.1 www.iquicksearch.com
127.0.0.1 www.lookfor.cc
127.0.0.1 www.naver.com
127.0.0.1 www.nkvd.us
127.0.0.1 www.novafuck.com
127.0.0.1 www.ohcorea.com
127.0.0.1 www.omega-search.com
127.0.0.1 www.onet.pl
127.0.0.1 www.power-search.info
127.0.0.1 www.rightfinder.net
127.0.0.1 www.search-1.net
127.0.0.1 www.search-and-go.com
127.0.0.1 www.search-dot.com
127.0.0.1 www.search-space.com
127.0.0.1 www.searchforge.com
127.0.0.1 www.searching-the-net.com
127.0.0.1 www.searchv.com
127.0.0.1 www.searchxl.com
127.0.0.1 www.seznam.cz
127.0.0.1 www.slotch.com
127.0.0.1 www.spidersearch.com
127.0.0.1 www.startium.com
127.0.0.1 www.ttjj.com
127.0.0.1 www.viewpornkey.com
127.0.0.1 www.wazzupnet.com
127.0.0.1 www.websearch.com
127.0.0.1 www.windowws.cc
127.0.0.1 www.xgmm.com
127.0.0.1 www.xwebsearch.biz
127.0.0.1 www.yourbookmarks.ws
127.0.0.1 thehun.com
127.0.0.1 www.thehun.com
127.0.0.1 thehun.net
127.0.0.1 www.thehun.net
127.0.0.1 www.yahoo.com
127.0.0.1 yahoo.com
127.0.0.1 www.google.com
127.0.0.1 google.com
127.0.0.1 www.altavista.com
127.0.0.1 altavista.com
127.0.0.1 search.microsoft.com
127.0.0.1 search.msn.com
127.0.0.1 www.msn.com
127.0.0.1 msn.com
127.0.0.1 www.search.com
127.0.0.1 search.com
127.0.0.1 www.teoma.com
127.0.0.1 teoma.com
127.0.0.1 www.alltheweb.com
127.0.0.1 alltheweb.com
127.0.0.1 www.wisenut.com
127.0.0.1 wisenut.com
127.0.0.1 www.dmoz.org
127.0.0.1 dmoz.org
127.0.0.1 www.excite.com
127.0.0.1 excite.com
127.0.0.1 www.lycos.com
127.0.0.1 lycos.com
127.0.0.1 www.hotbot.com
127.0.0.1 hotbot.com
127.0.0.1 www.casino.com
127.0.0.1 casino.com

The trojan adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page=%Windows%\secure.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=%Windows%\secure.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=%Windows%\secure.html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page=%Windows%\secure.html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=%Windows%\secure.html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=%Windows%\secure.html

The following registry entries are also deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key2

The trojan also attempts to stop the following processes:
serve.exe
loadclean.exe
loader.exe
runddl.exe
MCUPDATE.EXE
CFIAUDIT.EXE
AVXQUAR.EXE
AUTOUPDATE.EXE
AUTOTRACE.EXE
AUTODOWN.EXE
AUPDATE.EXE
NUPGRADE.EXE
UPDATE.EXE
ICSUPP95.EXE
ICSSUPPNT.EXE
DRWEBUPW.EXE
LUALL.EXE
AVPUPD.EXE
AVWUPD32.EXE
ATUPDATER.EXE

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}