Trojan.Linkoptimizer.B

Variants of Trojan.Linkoptimizer.B are installed by exploiting browser vulnerabilities including the following:

• Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (Security Focus Bugtraq ID 6221)
• Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (Security Focus Bugtraq ID 16644)
• Microsoft WMF Remote Code Execution Vulnerability (Security Focus Bugtraq ID 16074).
• Microsoft Internet Explorer VML Remote Code Execution Vulnerability (Security Focus Bugtraq ID 20096).
• Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability (Security Focus Bugtraq ID 21207)

NOTE: At the time of writing, it has been reported that the installation of Trojan.Linkoptimizer.B and its variants works only for users with Italian IP addresses.

The exploits drop an executable file in the following folder:
%Temp%\[RANDOM NAME 1].exe

Once executed, the variants of Trojan.Linkoptimizer.B create the following mutexes to ensure that only one copy of the threat is running on the compromised computer:

• _x_mgr_
• _x_hlp_

The variants may check to see if a modem is installed on the compromised computer by retrieving the Remote Access devices and checking for the presence of one of the following strings, terminating if none are not found:

• modem
• isdn

It may create the following registry entries so that the threat will be executed everytime Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[8 RANDOM LETTERS].[EXT]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[FIXPART1][FIXPART2].exe"

NOTE: The security permissions of these keys are modified so that Administrator users will not be able to remove or change them.

The variants reportedly may create some of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXADECIMAL VALUE]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXADECIMAL VALUE]"

It may create some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ShockPlayer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\[5 RANDOM LETTERS]

The Trojan variants attempt to resolve the following domain:
aondskwje.com

NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.

The variants may try to download the following encrypted file:
[http://]196.238.242.23/view/logo[REMOVED]

The downloaded file is saved to the following location and executed:
%Temp%\[RANDOM NAME3].exe

After the download is completed, the file %Temp\[RANDOM NAME 1].exe deletes itself.

Next, the installed Trojan variant disables Windows System Restore and copies itself using the following file name:
%System%\[FIXED STRING][5 RANDOM LETTERS].exe

Where [FIXED STRING] is randomly chosen from one of the following strings:

• csr
• ctf
• drv
• dsk
• hlp
• lsa
• man
• mod
• mon
• net
• sql
• srv
• svc
• sys
• tsk
• upd
• win

While copying itself into %System% folder, the variant appends itself to a variable amount of
random data and patches the security permissions of the file. It then locks the file so that the malicious file cannot be accessed, deleted or renamed.

If the operating System is Windows XP, 2000 or 2003 the variants may start the
Task Scheduler service and add the following task in order to run when Windows starts:
Run: %System%\[FIXED_STRING][5 RANDOM LETTERS].exe
Run as: NT AUTHORITY\System
Schedule: At System Startup

The task is saved in the following file and has the security permissions set to prevent removal.
%Windir%\Tasks\[5 RANDOM LETTERS].job

Next, the Trojan variants attempt to resolve one of the following domains:

• itqoipyqsq.com
• addwjf6zoy.com
• c5ehm8fp.com

NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.

The Trojan variant tries to download the following encrypted file:
[http://]85.255.115.133/styles/deskt[REMOVED]

NOTE: At the time of writing the file is downloaded only if the compromised machine has an Italian IP address. It has been observed that non-Italian IP addresses get a 500 error message from the remote Web server.

The downloaded file may install multiple dialer components that will dial high-cost numbers.

The Trojan.Linkoptimizer.B variant checks for the presence of debuggers or monitoring tools. It will not run on computers running on VMWare environment or with any of the following drivers active:

• SIWVIDSTART - Numega SoftICE Debugger
• FILEMON - Sysinternals Filemon
• REGMON - Sysinternals Regmon
• PROCMON - Sysinternals Procmon

It may inject a thread into EXPLORER.EXE that attempts to terminate any program which has the following text in window title:

• antidialer
• avenger
• avz antiviral
• catchme
• ccleaner
• dumphive
• gmer
• hardware upgrade forum
• hijackthis
• listdlls
• p2p forum italia
• pjf(ustc)
• restore ssdt
• runalyzer
• silent runners
• suspectfile
• swreg
• Systemscan
• unhook selected
• unlockerassistant

It may create a copy of itself with one the following names:
%System%\[8 RANDOM LETTERS].[EXT]
%System%\[FIXPART1][FIXPART2].exe

[EXT] is one of the following strings:

• bak
• dat
• log
• old
• tmp
• txt
• ver

[FIXPART1] is one of the following strings:

• admin
• auto
• boot
• cfg
• chat
• defrag
• demo
• dump
• edit
• key
• note
• office
• power
• reg
• run
• set
• sys
• sys32
• System
• task
• video
• win
• win32

[FIXPART2] is one of the following strings:

• audit
• backup
• cache
• check
• clean
• config
• control
• debug
• event
• find
• info
• init
• load
• lookup
• mode
• notify
• setup
• stat
• tray
• viewer
• wizard

Variants of Trojan.Linkoptimizer.B have XML configuration data that can be updated from a remote site and allows the variant to download or install multiple dialer components. The configuration data that can be updated includes high cost numbers to dial with the following prefixes:

• 899
• 00881

The variant will also use the updated configuration data to contact one of the following URLs:

• [http://]www.webcont.net/CONTENTS/adul[REMOVED]
• [http://]www.keycont.net/CONTENTS/audl[REMOVED]

Updated configuration data will also include valid account information for the URLs dialed.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Summary