Home / malware TrojanDropper:Win32/Ilomo.D
First posted on 14 July 2009.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Ilomo.D is also known as Also Known As:Trojan.Clampi (Symantec).
Explanation :
TrojanDropper:Win32/Ilomo.D is a trojan that drops another malware, detected as Trojan:Win32/Ilomo.C, in the system.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
TrojanDropper:Win32/Ilomo.D is a trojan that drops another malware, detected as Trojan:Win32/Ilomo.C, in the system.
Payload
Drops other malwareUpon execution, TrojanDropper:Win32/Ilomo.D drops Trojan:Win32/Ilomo.C into the %APPDATA% folder as one of the following file names: dumpreport.exe
msiexeca.exe
svchosts.exe
upnpsvc.exe
service.exe
taskmon.exe
rundll.exe
helper.exe
event.exe
logon.exe
sound.exe
lsas.exe Note that these file names are similar to the file names used by legitimate system processes (such as 'lsass.exe', 'svchost.exe', and 'services.exe'). It also modifies the system registry so that its dropped malware automatically runs every time Windows starts: Adds value: "<value>"
With data: "%APPDATA%<malware name>"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun where <malware name> is one of the above possible file names and <value> is one of the following: CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init It then runs its dropped malware, Trojan:Win32/Ilomo.C. TrojanDropper:Win32/Ilomo.D also creates the following registry entries:Adds value: "GID"With data: "hex:00,00,02,10,"Adds value: "KeyM"With data: "hex:94,6b,ee,bc,ff,a5,bb,8b,5e,68,2a,a5,8f,bf,24,f5,7a,63,b7,9c,bb,db,14,d5,1f,ae,b0,57,34,02,59,6f,c6,38,9c,7e,bd,8f,82,02,9f,36,ab,3f,0c,6c,b9,4c,c3,98,7e,e6,77,0a,cc,53,20,6f,6b,5b,ec,83,a8,9e,34,c1,9e,9c,73,93,05,01,f3,3d,d2,da,79,ed,63,00,04,25,cb,82,fc,87,3d,89,e1,86,79,79,8c,67,a8,43,5c,bc,65,26,66,5e,b1,8a,c5,51,95,e0,24,b8,7f,f5,1a,1c,20,83,dd,b7,44,e6,e7,66,b3,5d,88,a7,85,c8,2b,a4,58,4e,18,85,a2,9d,d3,16,d5,89,e6,51,4b,70,90,c9,f3,82,69,13,f1,09,ed,7c,30,86,2a,16,4a,4c,a4,06,fa,f9,78,c4,7d,72,93,fc,64,d7,48,c5,fb,83,a2,44,0a,98,77,be,cd,4b,fe,a8,69,a2,16,f2,73,c5,f1,44,ff,11,38,3e,af,5f,3f,87,05,61,61,fc,ff,22,be,00,d5,46,67,a0,ba,ce,65,a5,c7,32,03,93,11,96,62,7e,eb,0b,5d,9d,9a,92,1b,41,10,8c,2c,9b,09,a5,11,84,eb,91,ca,34,18,0e,92,2d,85,c7,6b,02,b0,ef,"Adds value: "KeyE"With data: "hex:00,01,00,01,"Adds value: "GatesList"With data: "hex:74,72,79,2e,6d,6f,6a,69,74,6f,62,6f,6f,6d,2e,69,6e,00,2f,55,34,4c,36,4e,51,4c,4d,4d,71,4f,46,74,64,39,34,00,64,69,72,65,63,74,2e,6d,61,74,63,68,62,6f,78,2e,76,63,00,2f,4c,4e,4c,42,42,61,57,4a,6e,64,64,6b,38,76,50,76,00,"To subkey: HKCUSoftwareMicrosoftInternet ExplorerSettings The data for value 'GatesList' translates as:try.mojitoboom.in /U4L6NQLMMqOFtd94 direct.matchbox.vc /LNILBBaWJnddk8vPv The above data contains Web sites to which Trojan:Win32/Ilomo.C attempts to connect to.Additional InformationFor more information about Trojan:Win32/Ilomo.C, see our description elsewhere in the encyclopedia.
Analysis by Dan KurcLast update 14 July 2009