Home / malware

PDF

Trojan:Win32/Conhook.Q

First posted on 27 March 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Conhook.Q is also known as Also Known As:Troj/Virtum-Gen (Sophos), Trojan.Vundo.Gen!Pac.29 (VirusBuster), Vundo.gen.ab (McAfee).

Explanation :

Trojan:Win32/Conhook.Q is a trojan that registers itself as a BHO (Browser Helper Object). It may monitor user browsing behavior and may connect to remote servers.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

The presence of the following registry keys:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks<CLSID value>
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Object<CLSID value>where <CLSID value> may be one of the following:{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
{849B9523-785F-4014-9CAF-079FB4A74C61}
{1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA}
{F18F04B0-9CF1-4b93-B004-77A288BEE28B}
{0676CC61-CDC5-447e-AAFC-9D886EC820EB}
{7797F524-B819-42d0-B35A-0DACAF93E977}
{013A653B-49A6-4f76-8B68-E4875EA6BA54}
{14FD9304-A270-4d8c-B696-6B7DA0C1DF56}
{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
{3FD6B99C-A275-46ea-8FD1-3D63986E51E4}
{7DA39570-5FD2-4f18-94B4-20730CB3F727}
{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}
{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}
{337C54C9-80C1-4de2-93CD-AAA510834074}
{D38439EC-4A7F-42b4-90C2-D810D7778FDD}
{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}
{1557B435-8242-4686-9AA3-9265BF7525A4}
{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}
{55DB983C-BDBF-426f-86F0-187B02DDA39B}
{A24B57F8-505D-4fc5-9960-740E304D1ABA}
{4B646AFB-9341-4330-8FD1-C32485AEE619}
{CD3447D4-CA39-4377-8084-30E86331D74C}
{DEBEB52F-CFA6-4647-971F-3EDB75B63AFA}
{8F2183B9-F4DB-4913-8F82-6F9CC42E4CF8}
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
{E12BFF69-38A7-406e-A8EF-2738107A7831}
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
{1126271C-A8C3-438c-B951-7C94B453B16B}
{938A8A03-A938-4019-B764-03FF8D167D79}
{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}
{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}
{C24751C6-3976-419a-A776-915669E28A4D}
{47B83D78-F986-4E96-9769-2C55EF14DA0B}
{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}
{32A5ED57-EA40-4869-8675-28EA463E6B23}
{89AD4D75-2429-462e-BD4E-443F233F6033}
{F9546B58-83B5-44bb-93CF-945253E58025}
{F864AD64-8376-447d-B5F4-EA4965E3E0EA}
{BE3E60A0-8087-4ad2-9386-500966D663B4}

The presence of the following registry entry:
Added value: "MS Juan"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Trojan:Win32/Conhook.Q is a trojan that registers itself as a BHO (Browser Helper Object). It may monitor user browsing behavior and may connect to remote servers.

Installation
Trojan:Win32/Conhook.Q usually arrives in the system as a DLL file with a random name. When executed, it may create the following registry entry to make sure that it automatically runs every time Windows starts: Adds value: "MS Juan"
With data: "rundll32 <malware name>,run"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun where <malware name> is the name of the dropped DLL file. It may create the mutex 'RTMXN653427485934' to ensure that only one instance of itself is running at any given time. It may also register itself so that it is loaded by each running process: Adds value: "AppInit_DLLs"
With data: "<malware name>"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows It may also create one or more of the following registry keys: HKLMSoftwareMicrosoftMS Optimization
HKLMSoftwareMicrosoftMS Track System
HKLMSoftwareMicrosoftMS Juan
HKLMSoftwareMicrosoftjn_tr_<8 random numbers> To register itself as a BHO, it may also create the following registry keys: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks<CLSID value>
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Object<CLSID value> where <CLSID value> may be one of the following: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
{849B9523-785F-4014-9CAF-079FB4A74C61}
{1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA}
{F18F04B0-9CF1-4b93-B004-77A288BEE28B}
{0676CC61-CDC5-447e-AAFC-9D886EC820EB}
{7797F524-B819-42d0-B35A-0DACAF93E977}
{013A653B-49A6-4f76-8B68-E4875EA6BA54}
{14FD9304-A270-4d8c-B696-6B7DA0C1DF56}
{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
{3FD6B99C-A275-46ea-8FD1-3D63986E51E4}
{7DA39570-5FD2-4f18-94B4-20730CB3F727}
{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}
{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}
{337C54C9-80C1-4de2-93CD-AAA510834074}
{D38439EC-4A7F-42b4-90C2-D810D7778FDD}
{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}
{1557B435-8242-4686-9AA3-9265BF7525A4}
{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}
{55DB983C-BDBF-426f-86F0-187B02DDA39B}
{A24B57F8-505D-4fc5-9960-740E304D1ABA}
{4B646AFB-9341-4330-8FD1-C32485AEE619}
{CD3447D4-CA39-4377-8084-30E86331D74C}
{DEBEB52F-CFA6-4647-971F-3EDB75B63AFA}
{8F2183B9-F4DB-4913-8F82-6F9CC42E4CF8}
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
{E12BFF69-38A7-406e-A8EF-2738107A7831}
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
{1126271C-A8C3-438c-B951-7C94B453B16B}
{938A8A03-A938-4019-B764-03FF8D167D79}
{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}
{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}
{C24751C6-3976-419a-A776-915669E28A4D}
{47B83D78-F986-4E96-9769-2C55EF14DA0B}
{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}
{32A5ED57-EA40-4869-8675-28EA463E6B23}
{89AD4D75-2429-462e-BD4E-443F233F6033}
{F9546B58-83B5-44bb-93CF-945253E58025}
{F864AD64-8376-447d-B5F4-EA4965E3E0EA}
{BE3E60A0-8087-4ad2-9386-500966D663B4}

Payload
Monitors Browsing BehaviorTrojan:Win32/Conhook.Q may monitor user browsing behavior by logging the search keywords for various search engines. Connects to Web SitesTrojan:Win32/Conhook.Q may attempt to connect to the following addresses:
suedomet.com
85.12.43.70

Analysis by Andrei Florin Saygo

Last update 27 March 2009

 

TOP