Home / malwarePDF  

Downloader.Chikdos


First posted on 29 October 2015.
Source: Symantec

Aliases :

There are no other names known for Downloader.Chikdos.

Explanation :

Once executed, the Trojan modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"ShutdownWithoutLogon" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\"Enabled" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\"EnableAdminTSRemote" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\"Start" = "2"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\"TSEnabled" = "1"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\"fDenyTSConnections" = "0"
The Trojan then connects to one or more of the following remote locations:
[http://]119.90.4.240:9631/setu[REMOVED][http://]119.90.4.240:9631/setup[REMOVED][http://]119.90.4.240/setu[REMOVED][http://]119.90.4.240/setup[REMOVED]
The Trojan may download one or more of the following files:
%Temp%\[RANDOM FILE NAME].exe%Temp%\smsb.exe%Temp%\smsb1.exe
The Trojan may then create a new user account on the compromised computer with the following credentials:
User name: qianhua
The Trojan may add the new user account to the following groups:
AdministratorsAdministradoresRemote Desktop Users

Last update 29 October 2015

 

TOP