W32/KillAV.CM!tr - Released Mar 07, 2006
|
Alias/esEmail-Worm.Win32.Bagle.fu [KAV], Trojan.Tooso [NAV], W32/Mitglieder.HT [FP] |
Detection Availability
|
Visible Symptoms
- Inability to connect to various security web sites in order to update security
programs
- Presence of "mloader32.dll" in the System32 folder
|
Detailed Analysis
This Trojan is usually installed as a result of Mitglieder (a Trojan). This
threat exists as a DLL file in the System32 folder, and loads as an accomplice
to WINLOGON.EXE at System startup. It is responsible for terminating security
programs and services, and deleting registry keys.
A dropper Trojan may install the DLL and modify the registry to run it at next
Windows restart via some registry modifications -
|
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\mloader32 "Asynchronous"
= 00, 00, 00, 00
"DllName" = mloader32.dll
"Impersonate" = 00, 00, 00, 00
"Startup" = Startup
|
Payload
This Trojan's purpose is to try to disrupt security programs already installed
by disabling them, deleting keys responsible for loading them, or by blocking
websites. The virus will monitor connections to the following sites, either
FTP or HTTP - if a connection attempt is made by the infected system, the virus
will block the connection -
ad.doubleclick.net
upgrade.bitdefender.com
report.bitdefender.com
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
www.ca.com
click.atdmt.com
clicks.atdmt.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads-eu1.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
downloads.microsoft.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
engine.awaps.net
f-secure.com
fastclick.net
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.sophos.com
go.microsoft.com
ids.kaspersky-labs.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
us.mcafee.com
vil.nai.com
viruslist.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.f-secure.com
www.fastclick.net
www.grisoft.com
www.kaspersky-labs.com
www.kaspersky.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.viruslist.ru
www3.ca.com
avp.ch
avp.com
avp.ru
awaps.net
ca.com
ca.com
ca.com
ca.com
ca.com
ca.com
f-secure.com
fastclick.net
grisoft.com
kaspersky-labs.com
kaspersky.com
kaspersky.ru
mcafee.com
my-etrust.com
nai.com
networkassociates.com
sophos.com
symantec.com
trendmicro.com
viruslist.com
viruslist.ru
www3.ca.com
84.53.142.6
84.53.142.22
63.210.193.12
212.113.20.69
216.200.68.152
update.symantec.com
ca.com
service1.symantec.com
www.antivir.de
antivir.de
drweb.com
ca.com
www.drweb.com
drweb.ru
www.ravantivirus.com
ravantivirus.com
bitdefender.com
www.bitdefender.com
ca.com
www.clamav.net
clamav.net
pandasoftware.com
www.pandasoftware.com
ftpav.ca.com
upgrade.bitdefender.com
www.bitdefender.ru
bitdefender.ru
open.by
vba32.de
www.open.by
sm12.avast.com
sm13.avast.com
rs18.avast.com
rs08.avast.com
sm17.avast.com
sm04.avast.com
sm09.avast.com
sm16.avast.com
rs03.avast.com
rs06.avast.com
sm21.avast.com
rs02.avast.com
rs10.avast.com
rs07.avast.com
sm25.avast.com
rs11.avast.com
sm22.avast.com
rs20.avast.com
sm23.avast.com
sm19.avast.com
sm05.avast.com
rs24.avast.com
sm15.avast.com
downloadhosting.core.ignum.cz
sm01.avast.com
sm14.avast.com
rs18.avast.com
download25.avast.com
www.avast.com
avast.com
avira.com
www.avira.com
zak.avira.com
downloads.avira.com
www.clamwin.com
clamwin.com
213.219.245.4
files.referats.net
database.clamav.net
213.248.60.121
gin.ba.euroweb.sk
www2.eset.com
esetsoftware.com
msk4.drweb.com
drweb.com
www.drweb.com
62.146.66.181
www.hbedv.com
hbedv.com
www.hacksoft.com.pe
ikarus-software.at
download.ikarus.at
193.69.114.12
niutwo.norman.no
www.anti-virus.by
anti-virus.by
www.vba32.de
ftpav.ca.com |
The Trojan uses an extensive list of applications to monitor and terminates
any matching the long list. The apps in the list are related to Antivirus and
security software. The virus may delete registry keys matching these -
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor
ccApp
NAV CfgWiz
SSC_UserPrompt
McAfee Guardian
McAfee.InstantUpdate.Monitor
APVXDWIN
KAV50
avg7_cc
avg7_emc
Zone Labs Client
HKLM\SOFTWARE\
Symantec
McAfee
KasperskyLab
Agnitum
Panda Software
Zone Labs
Trend Micro |
|
Recommended Action
FortiGate systems:
- check the main screen using the web interface to ensure the latest AV/NIDS
database has been downloaded and installed -- if required, enable the "Allow
Push Update" option
FortiClient systems:
- Quarantine/Delete infected files detected
|
