Threat Spotlight

For the week of 17 Jan 2011
Threat 1

Downloaded Trojan drops more malware

Threat Name:

Troj/Agent-QBM

Users at Risk:

Windows users

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/Agent-QBM can run automatically and download, install and run new software. It communicates via HTTP with plentyafricans[dot]com. When it installs, this Trojan creates the following files:

<Temp>\proj.exe
<Program Files>\Microsoft\svchoster.exe

It also creates these registry entries, under HKLM\SOFTWARE\Microsoft\DownloadManager, to run svchoster.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B78TO3V2-3YR0-C781-66NP-35U054PRN3FH}
StubPath <Program Files>\Microsoft\svchoster.exe restart


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Update
<Program Files>\Microsoft\svchoster.exe

This Trojan is often dropped by Troj/DwnLdr-ITL.

In addition to the standard detection provided for Troj/Agent-QBM, the proactive HIPS technology in Sophos Endpoint Security can prevent the action of this malware and the additional malware it attempts to install. When Troj/Agent-QBM runs, it will fire the following HIPS rules:

HIPS/ProcMod-005
HIPS/RegMod-014

Troj/Dwnldr-ITL, which drops this spotlight Trojan, will fire the following HIPS rules:

HIPS/ProcMod-005
HIPS/ProcMod-006
HIPS/RegMod-014
Threat 2

Fake Kama Sutra PowerPoint drops infections

Threat Name:

Troj/Bckdr-RFM

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/Trausama.A.1
  • McAfee: BackDoor-EXY trojan
  • Microsoft: Trojan:Win32/Trausama.A

Removal Instructions:

Please use the instructions for removing Trojans.

About:

This Trojan is a file dropped that's often named "Real Kamasutra.pps. exe." It drops the following files:

<Windows>\AdobeUpdater.exe
<Profile>\Local Settings\Temp\<random number>.tmp\Real kamasutra.pps <Profile>\Local Settings\Temp\<random number>.tmp\jqa.exe <Profile>\Local Settings\Temp\<random number>.tmp\acrobat.exe

It creates these registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Updater
<Windows>\AdobeUpdater.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ StandardPofile\AuthorizedApplications
List
<windows>\AdobeUpdater.exe

Though this Trojan first contacts adobe.com, it then contacts the IP address 95 . 168 . 172 . 46 and then sends your hostname, username and MAC Address to that IP.

AdobeUpdater.exe, one of the dropped files, can respond to commands issued by a remote server. These commands include:

shell sleep
quit
kill
comd (used to transfer files to and from remote server and execute files server uploads)
Threat 3

Worm spreads via networks with weak passwords

Threat Name:

W32/Rbot-GXM

Users at Risk:

Windows users

Also Known As:

  • AVP: Backdoor.Win32.IRCBot.hss
  • McAfee: W32/Spybot.worm.gen virus
  • Microsoft: Backdoor:Win32/IRCbot.gen!K
  • Symantec: W32.Spybot.Worm
  • Trend Micro: WORM_KOLAB.CO

Removal Instructions:

Please follow the instructions for removing worms.

About:

W32/Rbot-GXM is a worm and backdoor Trojan for the Windows platform, and is related to the Neeris family of worms. It can:

  • Copy itself to the <SYSTEM> folder
  • Run automatically
  • Start services

When run, this worm creates the file TCPZ-X86D.sys, which is detected by Sophos as the potentially unwanted application "TCP-Z TCP Patch and Monitor," and sets the following registry entries under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDDLL\
HKLM\SYSTEM\CurrentControlSet\Services\msddll\
HKLM\SYSTEM\CurrentControlSet\Services\MSNETDED

W32/Rbot-GXM spreads to network shares with weak passwords and to removable drives. The worm also typically attempts to spread across a network by exploiting MS08-067.

In addition to the standard detection provided for W32/Rbot-GXM, the proactive HIPS technology in Sophos Endpoint Security can prevent the action of this malware and the additional malware it attempts to install. When W32/Rbot-GXM is run it will fire the HIPS rule HIPS/FileMod-001.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information