1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected : Trojan.Scieron Activity 2

System Infected : Trojan.Scieron Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Scieron activity on compromised systems.

Additional Information

When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\winword.exe
%UserProfile%\Application Data\httpsapi.dll
%System%\httpsapi.dll

The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\https: "rundll32.exe %UserProfile%\Application Data\httpsapi.dll,DllGetObject"

The Trojan may register the malicious DLL file as the following Browser Helper Objects (BHO):
HKEY_CLASSES_ROOT\CLSID\{B8969153-2214-4d23-B02B-FC8B490F8F54}\Default:"Http Security"
HKEY_CLASSES_ROOT\CLSID\{B8969153-2214-4d23-B02B-FC8B490F8F54}\InprocServer32\Default:"%System%\mshttp.dll"

The Trojan may create the following mutexes to ensure that only one instance is running:
httpsapi_dll_5_1
mshttp_dll_5_1

The Trojan may open a back door and connect to one of the following servers:
ls910329.my03.com
coastnews.darktech.org
uudog.4pu.com
yellowblog.flnet.org
www.ndcinformation.acmetoy.com
logoff.ddns.info
gjjb.flnet.org
newdyndns.scieron.com
www.service.authorizeddns.net
apple.dynamic-dns.net
demon.4irc.com
expert.4irc.com
will-smith.dtdns.net
sskill.b0ne.com
rubberduck.gotgeeks.com
bulldog.toh.info
jingnan88.chatnook.com
dynamic.ddns.mobi
anakin129.lflinkup.com
Markshell.etowns.net
blackblog.chatnook.com
lehnjb.epac.to
mydear.ddns.info
photocard.4irc.com
pricetag.deaftone.com
sorry.ns2.name
football.mrbasic.com
nazgul.zyns.com
cew58e.xxxy.info

The Trojan may steal the following information:
Computer name
Host name
Version
Drive type
Files

The Trojan may perform the following actions:
Download and execute remote files
Delete files
Move files to other folders
List directories

Affected

  • Windows XP, Windows 7, Windows Vista
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube