1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Volgmer Activity

System Infected: Trojan.Volgmer Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Volgmer activity on compromised computers.

Additional Information

Once executed, the Trojan creates the following files:
%System%\[RANDOM FILE NAME].dll
%Temp%\pdm.bat

It then creates a service with the following properties:
Display Name: [RANDOM SERVICE NAME]
Image Path: %System%\svchost.exe -k LocalSystems
Description: The [RANDOM SERVICE NAME] is an essential service for management of Windows System. If the service is stopped or disabled, Windows will be able to damaged seriously.

Note: [RANDOM SERVICE NAME] may be composed of the following words:
Application
Background
Control
Desktop
Extension
Function
Group
Host
Intelligent
Key
Layer
Multimedia
Network
Operation
Portable
Quality
Remote
Security
TCP/IP
User Profile
Volume
Windows
Device
Upd
Service
Management
Manager
Enum

For example: Control Portable Volume Manager or Background Operation Windows Manager

The Trojan then creates the following registry subkey to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM FILE NAME]

It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\"f0012345-2a9c-bdf8-345d-345d67b542a1" = "[HEXADECIMAL VALUE]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\"125463f3-2a9c-bdf0-d890-5a98b08d8898" = "[HEXADECIMAL VALUE]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\0000\"Service" = "[RANDOM FILE NAME]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\0000\"Legacy" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\0000\"DeviceDesc" = "[RANDOM SERVICE NAME]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\0000\"ConfigFlags" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\0000\"Class" = "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]\"NextInstance" = "1"

Next, the Trojan connects to one or more of the following IP addresses on TCP port 8080 or 8088:
113.28.244.194
116.48.145.179
186.116.9.20
193.28.91.232
199.15.234.120
200.42.69.133
220.128.131.251
24.242.176.130
78.93.190.70
89.190.188.42

The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Gather system information
Download and execute files
Update service registry key
Upload files

Gathered system information may include the following:
Computer name
IP address
Drive name and serial number
Locale information
TCP connection state
Operating system version
Process list

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube