Home / malware Trojan.Injector.CH
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Injector.CH.
Explanation :
After execution, the malware copies itself to
C:Program FilesMicrosoft Commonwuauclt.exe
and connects to a remote server (91.203.[hide].[hide]:http). If needed, it will add an exception
to the Windows firewall. It injects code in the memory instance of svchost and sends sensitive information
about the infected computer ( such as the version of the operating system and the port
on which the virus can receive data ) and waits to receive a command. Based on
the operating system of the infected computer, the virus tries to download a
file from a certain address, that acts as an update. On the test machine, the file was %SYSTEM%cpl32ver.exe.
The file can be found in the process list and could have 1 or 2 svchost child processes.
The malware has its own smtp server which tries to connect to the following addresses and send e-mails
mxs.mail.ru
fk-in-f114.google.com
gsmtp183.google.com
smtp.messagingengine.com
It also connects to the folowing addresses:
http://[hide]xu.ru/load3/ld.php?[info]
http://[hide]xr.ru/loadx/ld.php?[info]
211.95.[hide].[hide]:http
208.66.[hide].[hide]:http
216.195.[hide].[hide]:5634
It drops the rootkit component ( %SYSTEM%drivers[random].sys ) that hooks to the System Service Descriptor Table.
This way, the virus manages to hide the registry keys it creates.
For the process to start in safe mode, it creates the following registry keys:
HKLMSYSTEMCurrentControlSetControlSafeBootMinimal[random].sys
HKLMSYSTEMCurrentControlSetControlSafeBootNetwork[random].sys
So that the application can start with the operating system the folowing keys are added:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunCpl32ver ( on the test machine )
HKLMSystemCurrentControlSetServices[random]
HKLMSystemCurrentControlSetServices cpsr
HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeLast update 21 November 2011