W32/Agent.IL!tr

description-logoAnalysis

This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder as three files -

c:\WINNT\system32\hacker.asf
c:\WINNT\system32\hacker.exe
c:\WINNT\system32\hacker.hke

The last file is a log file generated by the Trojan and its key logging routine(s). The Trojan then registers itself to run as a service -

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,68,00,61,00,63,00,6b,00,65,\
00,72,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,6e,00,65,00,74,00,\
73,00,76,00,63,00,73,00,00,00
"DisplayName"="Messenger"
"DependOnService"=hex(7):4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,\
6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,65,00,74,00,42,\
00,49,00,4f,00,53,00,00,00,52,00,70,00,63,00,53,00,53,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Sends and receives messages transmitted by administrators or by the Alerter service."

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

The Trojan waits for the system to restart or for another user to log off and back on before attempting to perform any actions. After the Trojan loads on restart of Windows, it loads the .DLL component into the Web browser Internet Explorer (iexplore.exe) process space to help avoid detection by process monitors and other debugging tools.

All keystrokes are captured into a text file named "hacker.hke" in the System32 folder. The Trojan also allows a remote attacker to connect to the compromised system in order to retrieve the log file and use it for nefarious purposes.

More Info:
This trojan replaces itself with a same-named doc file which it opens in Winword - so the user thinks he never launched an exe file but merely opened a doc file. The dropped file hacker.exe tries to connect to the server zdqv4kyi.dns4me.com which was down during the analysis - but since it is a dynamic dns name, the server may get on and offline at will. Attack is focused mainly at transport, defense and electrical companies based in Holland and the UK. It pretends to be an email discussing RVT Environmental Qualification testing. It is very similar to another attack which occurred on 30th November 2005. The email originates from the same class C range (from Tianjin, China) as the previous one.

 

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2022-08-31 90.05564
2021-10-12 89.05871
2021-07-13 87.00600
2021-05-25 86.00433
2021-04-24 85.00686
2021-04-19 85.00571
2021-03-31 85.00112
2021-03-12 84.00661
2021-03-02 84.00417
2020-12-19 82.65600 Sig Updated