Home / malwarePDF  

Trojan:Win32/Acbot.A


First posted on 31 May 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Acbot.A is also known as Ransomer.ABI (Avira), Generic Dropper.p (McAfee), Mal/Rorpian-D (Sophos), W32/Ransom.AJL (Norman).

Explanation :



Trojan:Win32/Acbot.A is a trojan that posts messages to certain social media websites that you might access using a web browser. The messages posted by Trojan:Win32/Acbot.A contain a link to a copy of the trojan.



Installation

This trojan may be encountered when visiting a link found on a social media website such as Twitter, Myspace and Facebook. The link, obfuscated as a shortened "bit.ly" URL, accompanies a message, such as "lol when was the last time you saw this pic? <link>". If you open the link, it redirects your browser to the website "hotfile.com", such as "<site>/dl/153994922/<deleted>/IMG_10_April25_www.Facebook.com_Profile.zip.html?YtQOEZ.png".



Payload

Downloads files

Acbot downloads two configuration data files named "1.txt" and "2.txt" from a website named "srv5000.<deleted>". The files are used to instruct Acbot on which social media services to post messages, such as Facebook or Twitter, and the format of the messages created by the trojan.

Posts links to social media websites

Acbot injects code into the popular web browsers Mozilla Firefox, Microsoft Internet Explorer, Google Chrome and Opera. Acbot monitors when you access the following social media sites and replaces outgoing comments, messages or status updates with content from one of the downloaded configuration files:

  • Myspace
  • Facebook
  • Bebo
  • Meebo
  • Twitter
Additional information

Trojan:Win32/Acbot.A tries to determine if your computer is running within a debug or virtual environment by looking for certain clues, for example it will quit if the following conditions are met:

  • If the file name of the trojan cotains any of these words:
    • sample , virus, sand-box, sandbox, malware, test
  • If the computer name contains any of these names:
    • VMG-CLIENT
    • MAKKK
    • Malekal
    • HOME-OFF-D5F0AC
    • DELL-D3E62F7E26
    • KAKAPROU-6405DA
  • If the Windows user name contains any of these names:
    • VMG-CLIENT
    • Malekal
    • Mak
    • HOME-OFF-D5F0AC
    • DELL-D3E62F7E26
    • KAKAPROU-6405DA
    • klasnich
  • If the following names are present in the registry subkey HKLM\SYSTEM\ControlSet001\Services\Disk\Enum\0:
    • VMware , VBox, Virtual, QEMU
  • If any process name contains any of the following:
    • vbox
    • vmsrvc
    • vmware
    • tcpview
    • syssafe.exe
    • wireshark.exe
    • regshot.exe
    • procmon.exe
    • filemon.exe
    • regmon.exe
    • procdump.exe
    • cports.exe
    • procexp.exe
    • squid.exe
    • dumpcap.exe
    • sbiectrl.exe
  • If any of the following security applications are running
    • Wireshark
    • Microsoft Net Monitor
    • SmartSniff
    • CurrPorts
    • Process Monitor
    • Process Explorer
    • Ethereal




Analysis by Vincent Tiu

Last update 31 May 2012

 

TOP

Malware :

Family: