W32/Sectho.C!tr
Analysis
Specifics
Trojan downloads adware components from numerous web
addresses including these -
146.82.109.210
199.221.131.110
206.252.133.205
209.202.248.103
216.127.90.68
216.177.81.230
69.28.208.77
69.28.210.150
69.90.32.141
81.52.249.158
www.2nd-thought.com
The Sectho.C Trojan connects with multiple web addresses in an attempt to deliver a cocktail of adware components. Many of these components when run will adjust the registry to load at next Windows startup.
Loading At Windows Startup
If the Trojan is run, it may install itself to the Windows
folder and modify the registry to auto-run at next Windows
startup as in this example -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"stcloader" = C:\WINNT\System32\stcloader.exe
The file "stcloader.exe" runs as a process in memory. It persistently contacts various websites and downloads executable files - these executable files deliver ad content to the compromised system. Below is a list of possible auto-run entries created as a result of downloading and running adware components of this Trojan -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TB_setup" = tb_setup.exe /dcheck
"VCJQXELSZ" = C:\WINNT\VCJQXELSZ.exe
"version" = C:\WINNT\System32\manage.exe
"WinEssential" = C:\WINNT\System32\keyword.exe
"ClrSchLoader" = C:\Program Files\ClearSearch\Loader.exe
"msbb" = C:\Program Files\STC\msbb.exe
"RunDLL" = rundll32.exe "C:\WINNT\System32\bridge.dll",Load
"SAHAgent" = C:\WINNT\System32\SahAgent.exe
"slmss" = C:\Program Files\Common Files\slmss\slmss.exe
"SQConfigChecker" = C:\Program Files\Sqwire\cc.exe
"SQUpdatesChecker" = C:\Program Files\Sqwire\uc.exe
Web Delivery Of Adware Components
The Trojan first downloads an adware component from
2nd-thought.com as "stcloader.exe" and executes
it. This adware application then begins a steady process
of connecting various websites and downloading, and
running, executable files. This is done without the
user's consent, with the exception of one dialogue box
asking if the user would like to install something from
"The Good Download Corp.".
The Trojan uses a simple GET request to retrieve binary files stored on web servers related to pop-up ad delivery. Once the binary is retrieved, it is then executed, which in many cases installs the downloaded component as an Internet "browser helper" object.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add these web addresses
to the URL block section -
146.82.109.210
199.221.131.110
206.252.133.205
209.202.248.103
216.127.90.68
216.177.81.230
69.28.208.77
69.28.210.150
69.90.32.141
81.52.249.158
www.2nd-thought.com