Home / malwarePDF  

Trojan.Destfallen


First posted on 12 December 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Destfallen.

Explanation :

When the Trojan is executed, it creates the following files:
%Temp%\XmlLite.dll %Temp%\wsss.dll
The Trojan copies wordpad.exe to the following location and then executes it:
%Temp%\Wordpad.exe
Next, the Trojan may copy itself to the following locations:
%System%\bddsvc.dll%System%\iconsvc.dll%System%\ehressvc.dll%System%\netstsvc.dll%System%\pnas.dll%System%\pnrpmchname.dll%System%\pwpsvc.dll%System%\pcssvc.dll%System%\rregconf.dll%System%\scardmngsvc.dll%System%\tcpmsvc.dll%System%\tschmng.dll%System%\mmthread.dll%System%\wcmngsvc.dll%System%\coladj.dll%System%\wndmodmng.dll%System%\timesyncsvc.dll%System%\wiredconfsvc.dll%System%\wlanconf.dll%System%\wstmng.dll
The Trojan then creates a service with the following properties:
Display name:
BitLocker Drive Decryption ServiceInternet Connection ServiceMedia Center ServiceNetwork Storage ServicePeer Networking AddressPNRP Machine NamePower PolicyProgram Compatibility ServiceRemote Registry ConfigurationSmart Card Management ServiceTablet PC Management ServiceTask Schedule ManagerThread Ordering ServiceWebClient Manage ServiceWindows Color AdjustmentWindows Modules ManagementWindows Time SynchronizationWired Config ServiceWLAN Config ServiceWorkstation management
Description:
BDESVC hosts the BitLocker Drive Decryption service.Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.Allows Media Center to locate and connect to the computer.This service delivers network notifications (e.Enables multi-party communication using Peer-to-Peer Connecting.This service publishes a machine name using the Peer Name Resolution Protocol.Manages power policy and power policy notification delivery.This service provides support for the Program Compatibility Assistant (PCA).Enables remote users to modify registry configurations on this computer.Manages access to smart cards read by this computer.Enables Tablet PC pen and ink functionalityEnables a user to configure and schedule automated tasks on this computer.Provides ordered execution for a group of threads within a specific period of time.Enables Windows-based programs to create, access, and modify Internet-based files.The WcasPlugInService service hosts third-party Windows Color System color device model and gamut map model plug-in modules.Enables installation, modification, and removal of Windows updates and optional components.Maintains date and time synchronization on all clients and servers in the network.The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X The WLANSVC service provides the logic required to configure, discover, connect to, and disconnect from a wireless local area network.Creates and maintains client network connections to remote server using the SMB protocol
The Trojan may then delete the following files:
%Temp%\Wordpad.exe %Temp%\XmlLite.dll %Temp%\wsss.dll
If the date on the compromised computer is later than 11:00AM, December 10, 2014, the Trojan overwrites files with the following extensions found on fixed and removable drives:
.hwp.doc.pdf.docx.alz.zip.rar.egg.iso.exe.dll.sys
The Trojan then attempts to overwrite the master boot record (MBR) and shut down Windows.

Once the computer restarts, the Trojan displays the following message:
Who am I?

Last update 12 December 2014

 

TOP