When Trojan.Ascesso is executed it first tries to load its driver in Kernel memory.
To do that, the Trojan enumerates system services in the following registry subkey:
It looks for a service which runs at startup and is currently loaded in Kernel memory. (e.g. Beep.sys)
When a suitable service is found, the Trojan makes a backup copy of the original .SYS file in memory and temporarily overwrites the file on disk with its own malicious driver of 63 KB. Next, the Trojan restarts this service in order to load the dropped malicious driver and finally it restores the original file on disk to avoid detection.
If the driver gets loaded successfully, the threat creates the following file:
Next, it creates also the following registry subkeys for the driver:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550[RANDOM LETTER]\"ErrorControl" = "0x0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550[RANDOM LETTER]\"Start" = "0x2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550[RANDOM LETTER]\"Tag" = "0x55"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550[RANDOM LETTER]\"Type" = "0x1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550[RANDOM LETTER]\"Group" = "SCSI miniport"
Where [RANDOM LETTER] is a single letter. E.g. "asc3550v.sys"Note:
The services "asc3550" and "asc3550p" are legitimate Windows services.
The Trojan uses the following rootkit techniques to hide itself in the system:
- Hooks "iofCallDriver" function in Windows Kernel
- Patches TCPIP.SYS and WANARP.SYS drivers to bypass local firewalls
- Uses "CmRegisterCallback" to register a function that will hide its registry subkey
When the Trojan is active, the driver file is deleted from:
And is temporarily copied to the following location:
The Trojan changes the following registry key so that when the system starts,
it will copy the file %Windir%\smsys.dat back to %System%\drivers\asc3550[RANDOM LETTER].sys
again and the threat will be executed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\"PendingFileRenameOperations" = "%SystemRoot%smsys.dat %SystemRoot%System32\drivers\asc3550[RANDOM LETTER].sys"
It may also create the following registry subkeys:
The Trojan injects a variable user-mode payload into SERVICES.EXE process space.
Depending of the payload variant, the Trojan may:
- Download and execute a remote file into %System%\[RANDOM_DIGITS]ld.exe
- Contact a remote server to get instructions and configurations
- Update itself
- Send spam and contact the following hosts on TCP port 25:
- Send the following discovery packet over UDP port 1900 several times:
M-SEARCH * HTTP/1.1
Where [VALUE] could be
May download a remote file and copy it into the download folder of the following P2P programs:
The file is copied into the folder with one of the following names:
- WinXP SP2 crack.exe
- PGP serial code.exe
- Windows Vista keygen.exe
- World cup viewer.exe
It has been reported that the threat attempts to download the following files:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":