Home / malware Trojan.Sakurel
First posted on 28 February 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Sakurel.
Explanation :
The Trojan is downloaded from malicious URLs which exploits the following vulnerability:
Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
When the Trojan is executed, it copies itself to the following location:
%Temp%\MicroMedia\MediaCenter.exe
It then drops and registers the following file as an ActiveX component:
%Temp%\MicroMedia\MicroSoftSecurityLogin.ocx
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MicroMedia" = "%Temp%\MicroMedia\MediaCenter.exe"
It also creates the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\InprocServer32\"(Default)" = "%Temp%\MICROM~1\MICROS~1.OCX"HKEY_CLASSES_ROOT\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32\"(Default)" = "%Temp%\MICROM~1\MICROS~1.OCX"HKEY_CLASSES_ROOT\SECURE.SecureCtrl.1\"(Default)" = "Secure Control"HKEY_CLASSES_ROOT\SECURE.SecureCtrl.1\CLSID\"(Default)" = "{9A2AA809-5F01-456E-883F-F37C1513FEF7}"
Next, the Trojan modifies the hosts file to redirect URLs to the following targeted destinations:
csg.secure.snecma.fr 217.108.170.94ctx.secure.snecma.fr 217.108.170.81fdm.secure.snecma.fr 217.108.170.23qa.fdm.secure.snecma.fr 217.108.170.27qa.indigo.secure.snecma.fr 217.108.170.98pi.secure.snecma.fr 217.108.170.96qa.secure.snecma.fr 217.108.170.88qasd.secure.snecma.fr 217.108.170.87sd.secure.snecma.fr 217.108.170.199int.tcua.secure.snecma.fr 217.108.170.18qa.tcua.secure.snecma.fr 217.108.170.13secure.snecma.fr 217.108.170.196
It then connects to the following remote server and opens a remote shell:
oa.ameteksen.com
The Trojan may also monitor browser activity and download additional files.Last update 28 February 2014
