Home / malwarePDF  

Win32/Dishigy


First posted on 07 May 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Dishigy.

Explanation :



Win32/Dishigy is a family of trojans that can be instructed to perform denial of service attacks on remote hosts. The trojan attempts to connect to a remote host in order to obtain configuration information, and may be instructed to perform any one of several types of attack.



Installation

When executed, the malware copies itself to one of the following locations:

  • <system folder> \drivers\ <file name>.exe


For example:

    • <system folder> \drivers\wvchatts.exe
    • <system folder> \drivers\svajnager.exe
    • <system folder> \drivers\svflooje.exe
    • <system folder> \drivers\svchost.exe

  • <system folder> \<file name>.exe


For example:

    • <system folder> \svdhalp.exe


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Win32/Dishigy may also set itself to run as a service, to ensure that it runs each time Windows starts.

The malware can also create the following file:

%windir%\keys.ini

This file contains a randomly generated string which it uses to uniquely identify itself.



Payload

Performs Denial of Service attacks

When executed, the trojan attempts to connect to a remote host to receive configuration data. The configuration provides the following information:

  • The type of attack to be performed
    • Noting that early variants of the malware were capable of performing only a single type, this was expanded with later variants
    • Including sending a large number of HTTP requests to a targeted host
    • Depending on the type of attack, this determines the type of request sent
  • The intensity of an attack. That is, the resources of an infected computer that should be used to target a given host
  • The duration of an attack
  • A list of targeted hosts to perform a denial of service attack on


Once the configuration data is received, the malware then proceeds to perform attacks against the given list of hosts.

Technical details: The type of requests may include HTTP GET requests and HTTP POST requests.

The malware may include a variety of HTTP header information, including a randomly chosen USER-Agent string from a list which it carries, as well as a randomly chosen "Referrer URL", also from a list it carries.



Analysis by Ray Roberts

Last update 07 May 2012

 

TOP