Home / malwarePDF  

Trojan:Win32/Dogrobot.gen!A


First posted on 18 June 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Dogrobot.gen!A.

Explanation :

Trojan:Win32/Dogrobot.gen!A is a trojan that downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    <system folder>driverpcihdd.sys


  • Trojan:Win32/Dogrobot.gen!A is a trojan that downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software.

    Installation
    Trojan:Win32/Dogrobot.gen!A drops a device driver to <system folder>driverpcihdd.sys and loads it. The device driver is also detected as Trojan:Win32/Dogrobot.gen!A.

    Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.

    Payload
    Compromises system restore Win32/Dogrobot.gen!A attempts to overwrite the system file userinit.exe with a low level disk operation. The modified file is detected as Trojan:Win32/Agent.NAP. This action may bypass the protection offered by System Restore hardware and software as the integrity of restore settings may be lost. Downloads and executes arbitrary filesThe overwritten copy of userinit.exe attempts to contact remote hosts in order to download and execute files of the attacker's choice on the affected machine. In the wild, it has been observed contacting the following domain for this purpose:
  • yu.8s7.net



  • Analysis by Chun Feng

    Last update 18 June 2009

     

    TOP