Internet Security News & Views

Tech Info

Technical Information pages relating to Malware, Trojans, etc.

Win32/TrojanDownloader:

Win32/TrojanDownloader is family of Trojans for 32-Bit Windows systems that will be executed and drops .DLL components.
This .DLL component may register itself as a system service that is loaded by the legitimate Windows process “svchost.exe”.It may also inject code into other system processes, such as “winlogon.exe”.

Payload

The .DLL component of Win32/TrojanDownloader is capable of performing the following malicious actions:

Record users keystrokes
Download other malware from remote websites

—————————————–

Trojan found in Booking.com Scam:

Here are more information about this particular Trojan.

Inside the zip attachment has an executable file:

This Trojan is specifically involving to target Trusteer’s security products by attaching itself to run with the execution of some of Trusteer’s processes.

If the file is executed will perform  the following activities.

It injects code in to svchost.exe.

It creates the following files:

%windir%\system32\A37C0BC49C3B4DC6F27C.exe (Copy of itself)
\Program Files\Trusteer\Rapport\bin\RapportService.exe
%windir%\RPService.exe

The following registry entry will be modified to ensure infection on reboot:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%windir\system32\userinit.exe,%windir%\System32\A37C0BC49C3B4DC6F27C.exe,”

It creates to following registry entries to add itself as a debugger for Trusteer processes. This ensures it is executed in the execution sequence of these Trusteer’s products:

HKLM\SOFTWARE\Classes\MyEze.1\shell\open\command\: “%SystemRoot%\system32\RPService.exe %0 %1 %2”
HKLM\SOFTWARE\Classes\MyEze.1\shell\edit\command\: “%SystemRoot%\system32\RPService.exe %0 %1 %2”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe    Debugger    “RPService.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe    Debugger    “RPService.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup-Full.exe    Debugger    “RPXService.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup.exe    Debugger    “RPXService.exe”

It contacts a remote command and control server for further instructions:
{domain}/ljfsfggghgyuh/Usd4tr6791.php

——————————————————————————————————————————————-

Omniquad’s Mailwall Remote team has been analyzing the malware found in the most recent wave of Facebook email scams. They intercepted the malware as Worm:Win32/Gamarue.I

How does Worm:Win32/Gamarue.I affect your system?

Malicious computer worm infection that make use of vulnerabilities of network channel to infect computers.

Once installed, it may disable security software, block security-related online services and add dangerous payloads onto the infected computer system.

It even takes up large amount of system space to slow down PC performance. The worm infects many system files by attaching itself and rewriting files names.

It makes the computer abnormal and system unstable.  This infection will change your registry settings and other important windows system files.

If it is not removed it can cause a complete computer crash.

Some infections contain trojan and keyloggers which can be used to steal sensitive data like passwords, credit card, bank account information etc. So it is very important to remove as early as possible before it steals your information.

Remove it immediately before it starts wreaking havoc on the system.

How to remove Worm:Win32/Gamarue.I

1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).

2. Delete the file:

<%Documents and Settings%>\<%User%>\svchost.exe

3. Delete Registry Entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

4. Clean the folder:

%Temp%

5. Clean the Temporary Internet Files folder, which contains infected files.

6. Install the latest Windows updates.

7. Run a full scan of your computer using the Antivirus program with the latest updated definition database.

1 Response »

Trackbacks

  1. Omniquad Warns: J2 Global eFax hoax Email with Malware – Win32/TrojanDownloader | Omniquad Security Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow blog to be notified of new posts by email.

%d bloggers like this: