W32/Agent.IL!tr
Analysis
This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder as three files -
c:\WINNT\system32\hacker.asf
c:\WINNT\system32\hacker.exe
c:\WINNT\system32\hacker.hke
The last file is a log file generated by the Trojan and its key logging routine(s). The Trojan then registers itself to run as a service -
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,68,00,61,00,63,00,6b,00,65,\
00,72,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,6e,00,65,00,74,00,\
73,00,76,00,63,00,73,00,00,00
"DisplayName"="Messenger"
"DependOnService"=hex(7):4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,\
6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,65,00,74,00,42,\
00,49,00,4f,00,53,00,00,00,52,00,70,00,63,00,53,00,53,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Sends and receives messages transmitted by administrators or by the Alerter service."HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
The Trojan waits for the system to restart or for another user to log off and back on before attempting to perform any actions. After the Trojan loads on restart of Windows, it loads the .DLL component into the Web browser Internet Explorer (iexplore.exe) process space to help avoid detection by process monitors and other debugging tools.
All keystrokes are captured into a text file named "hacker.hke" in the System32 folder. The Trojan also allows a remote attacker to connect to the compromised system in order to retrieve the log file and use it for nefarious purposes.
More Info:
This trojan replaces itself with a same-named doc file which it opens
in Winword - so the user thinks he never launched an exe file but merely
opened a doc file. The dropped file hacker.exe tries to connect to the
server zdqv4kyi.dns4me.com which was down during the analysis - but since
it is a dynamic dns name, the server may get on and offline at will. Attack
is focused mainly at transport, defense and electrical companies based
in Holland and the UK. It pretends to be an email discussing RVT Environmental
Qualification testing. It is very similar to another attack which occurred
on 30th November 2005. The email originates from the same class C range
(from Tianjin, China) as the previous one.
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |