Home / malware Win32/Foidan
First posted on 09 October 2013.
Source: MicrosoftAliases :
There are no other names known for Win32/Foidan.
Explanation :
Threat behavior
Installation
Depending on the variant, Win32/Foidan copies itself as one of the following:
- %APPDATA% \ie_util.exe
- %APPDATA% \fnmod_32.exe
It modifies one of the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "IExplorer Util"
With data: "%APPDATA%\ie_util.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "FNModuleUpdater"
With data: "%APPDATA%\fnmod_32.exe"
It creates the following mutexes:
- FOCTRLM
- FOIDCTRL<Process ID>
- SYS_<Random>
This could be an infection marker to prevent more than one copy of the threat running on your PC.
Payload
Injects code
This malware tries to inject its code into the following processes so they can monitor and hook the HttpQueryInfoA and InternetReadFile APIs:
- ctfmon.exe
- dwm.exe
- explorer.exe
- iexplore.exe
- rdpclip.exe
- taskeng.exe
- taskhost.exe
- wscntfy.exe
Monitors and changes Internet traffic
Trojans in this family try to hook the following Windows APIs:
- HttpQueryInfoA
- InternetReadFile
Using these APIs the malware then monitors and changes HTTP header settings and data that is sent or received from your PC.
Analysis by Jonathan San Jose
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
- %APPDATA% \ie_util.exe
- %APPDATA% \fnmod_32.exe
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "IExplorer Util"
With data: "%APPDATA%\ie_util.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "FNModuleUpdater"
With data: "%APPDATA%\fnmod_32.exe"
Last update 09 October 2013
