1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Chikdos.A Activity

System Infected: Trojan.Chikdos.A Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by Trojan.Chikdos.A.

Additional Information

When the Trojan is executed, it creates the following files:
%ProgramFiles%\DbProtectSupport\fake.cfg
%ProgramFiles%\DbProtectSupport\svchost.exe

The Trojan creates a service with the following properties:
Display Name: LocalSystem
Image Path: %ProgramFiles%\DbProtectSupport\svchost.exe

The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\Security\"Security" = "[HEXADECIMAL VALUE]"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Type" = "dword:00000010"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Start" = "dword:00000002"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ObjectName" = "LocalSystem"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ImagePath" = "expand:"%PROGRAMfILES%\DbProtectSupport\svchost.exe"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ErrorControl" = "dword:00000001"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Service" = "DbProtectSupport"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Legacy" = "dword:00000001"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"DeviceDesc" = "DbProtectSupport"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ConfigFlags" = "dword:00000000"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Class" = "LegacyDriver"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\"NextInstance" = "dword:00000001"

The Trojan connects to the following domain on TCP port 59870:
cn0803.aiwooolsf.com

It then sends CPU and network information to the remote attacker.

The Trojan may then attempt to perform DDoS attacks.

Affected

  • Windows, Linux
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube