SecurityHome.eu TrojanDownloader:Win32/Regonid.B

Home / malware PDF

TrojanDownloader:Win32/Regonid.B

First posted on 23 April 2012.
Source: Microsoft
Aliases :
TrojanDownloader:Win32/Regonid.B is also known as W32/Downldr2.IXDB (Command), Gen:Variant.Gurub.2 (BitDefender), Trojan.DownLoad2.36241 (Dr.Web).
Explanation :
TrojanDownloader:Win32/Regonid.B is a trojan that attempts to download arbitrary files from a remote server.

Top

TrojanDownloader:Win32/Regonid.B is a trojan that attempts to download arbitrary files from a remote server.

Installation

TrojanDownloader:Win32/Regonid.B is installed by TrojanDownloader:Win32/Regonid.A to the system folder using any of the following file names:

<system folder>\accwiiz.exe

<system folder>\clicconfg.exe

<system folder>\cmstpp.exe

<system folder>\ddcomcnfg.exe

<system folder>\dfrgfatt.exe

<system folder>\dfrgnntfs.exe

<system folder>\drwtssn32.exe

<system folder>\dwwwin.exe

<system folder>\eddlin.exe

<system folder>\eventtvwr.exe

<system folder>\ffindstr.exe

<system folder>\finddstr.exe

<system folder>\fixmapii.exe

<system folder>\hhelp.exe

<system folder>\ie4uinnit.exe

<system folder>\iipv6.exe

<system folder>\ipxxroute.exe

<system folder>\labbel.exe

<system folder>\logofff.exe

<system folder>\mqttgsvc.exe

<system folder>\msshta.exe

<system folder>\nettsh.exe

<system folder>\nnapstat.exe

<system folder>\odbccad32.exe

<system folder>\packagger.exe

<system folder>\qwinnsta.exe

<system folder>\rdsshost.exe

<system folder>\rreplace.exe

<system folder>\rtcsharee.exe

<system folder>\rwiinsta.exe

<system folder>\scc.exe

<system folder>\sffc.exe

<system folder>\siggverif.exe

<system folder>\slservv.exe

<system folder>\spideer.exe

<system folder>\ssc.exe

<system folder>\tasskkill.exe

<system folder>\vsssadmin.exe

<system folder>\vwipxsspx.exe

<system folder>\w32ttm.exe

<system folder>\winhlp322.exe

<system folder>\winmiine.exe

<system folder>\wuaucllt.exe

The trojan may execute on a regular basis by creating a scheduled task, for example:

<system folder>\cmd.exe /c at 08:38 /every:W <system folder>\mqttgsvc.exe

<system folder>\cmd.exe /c at 10:00 /every:T <system folder>\rreplace.exe

<system folder>\cmd.exe /c at 10:06 /every:T <system folder>\packagger.exe

<system folder>\cmd.exe /c at 10:12 /every:T <system folder>\tasskkill.exe

<system folder>\cmd.exe /c at 10:16 /every:T <system folder>\labbel.exe

<system folder>\cmd.exe /c at 10:17 /every:T <system folder>\dfrgnntfs.exe

<system folder>\cmd.exe /c at 10:18 /every:T <system folder>\logofff.exe

<system folder>\cmd.exe /c at 10:28 /every:T <system folder>\cmstpp.exe

<system folder>\cmd.exe /c at 10:31 /every:T <system folder>\odbccad32.exe

<system folder>\cmd.exe /c at 10:31 /every:T <system folder>\winmiine.exe

<system folder>\cmd.exe /c at 10:33 /every:T <system folder>\w32ttm.exe

<system folder>\cmd.exe /c at 11:01 /every:T <system folder>\ie4uinnit.exe

<system folder>\cmd.exe /c at 11:01 /every:T <system folder>\winhlp322.exe

<system folder>\cmd.exe /c at 11:03 /every:T <system folder>\msshta.exe

<system folder>\cmd.exe /c at 11:04 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\eddlin.exe

<system folder>\cmd.exe /c at 11:04 /every:T <system folder>\vwipxsspx.exe

<system folder>\cmd.exe /c at 11:06 /every:T <system folder>\ddcomcnfg.exe

<system folder>\cmd.exe /c at 11:14 /every:T <system folder>\finddstr.exe

<system folder>\cmd.exe /c at 11:21 /every:T <system folder>\ffindstr.exe

<system folder>\cmd.exe /c at 11:23 /every:T <system folder>\odbccad32.exe

<system folder>\cmd.exe /c at 11:30 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\fixmapii.exe

<system folder>\cmd.exe /c at 11:30 /every:T <system folder>\scc.exe

<system folder>\cmd.exe /c at 11:33 /every:T <system folder>\rdsshost.exe

<system folder>\cmd.exe /c at 11:37 /every:T <system folder>\siggverif.exe

<system folder>\cmd.exe /c at 11:39 /every:T <system folder>\ipxxroute.exe

<system folder>\cmd.exe /c at 11:45 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\wuaucllt.exe

<system folder>\cmd.exe /c at 11:49 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\hhelp.exe

<system folder>\cmd.exe /c at 11:54 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\dfrgfatt.exe

<system folder>\cmd.exe /c at 11:58 /every:T <system folder>\nnapstat.exe

<system folder>\cmd.exe /c at 12:00 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\drwtssn32.exe

<system folder>\cmd.exe /c at 12:05 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\qwinnsta.exe

<system folder>\cmd.exe /c at 12:13 /every:T <system folder>\eventtvwr.exe

<system folder>\cmd.exe /c at 12:14 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\slservv.exe

<system folder>\cmd.exe /c at 12:16 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\rwiinsta.exe

<system folder>\cmd.exe /c at 12:24 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\vsssadmin.exe

<system folder>\cmd.exe /c at 12:31 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\iipv6.exe

<system folder>\cmd.exe /c at 12:38 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\rtcsharee.exe

<system folder>\cmd.exe /c at 12:38 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\spideer.exe

<system folder>\cmd.exe /c at 12:45 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\sffc.exe

<system folder>\cmd.exe /c at 12:49 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\accwiiz.exe

<system folder>\cmd.exe /c at 12:53 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\dwwwin.exe

<system folder>\cmd.exe /c at 12:54 /every:T <system folder>\clicconfg.exe

<system folder>\cmd.exe /c at 13:24 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\ssc.exe

<system folder>\cmd.exe /c at 13:46 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\winmiine.exe

<system folder>\cmd.exe /c at 13:53 /every:2,5,8,11,14,17,20,23,26,29 <system folder>\nettsh.exe

Payload

Drops another malware

TrojanDownloader:Win32/Regonid.B may also have a data file component with any of the following file names:

<system folder>\c_0037.nls

<system folder>\c_0377.nls

<system folder>\c_100000.nls

<system folder>\c_100006.nls

<system folder>\c_12250.nls

<system folder>\c_12533.nls

<system folder>\c_12554.nls

<system folder>\c_202611.nls

<system folder>\c_208666.nls

<system folder>\c_209055.nls

<system folder>\c_285594.nls

<system folder>\c_285595.nls

<system folder>\c_285992.nls

<system folder>\c_288597.nls

<system folder>\c_5000.nls

<system folder>\c_8555.nls

<system folder>\c_8633.nls

<system folder>\c_8774.nls

<system folder>\c_9499.nls

<system folder>\c_9500.nls

<system folder>\c_9936.nls

<system folder>\c_9949.nls

<system folder>\c__1250.nls

<system folder>\c__28591.nls

<system folder>\c__28599.nls

<system folder>\c__500.nls

<system folder>\c__860.nls

<system folder>\c__950.nls

<system folder>\cc_10081.nls

<system folder>\cc_28594.nls

<system folder>\cc_869.nls

<system folder>\cc_936.nls

<system folder>\l_inntl.nls

It decrypts the .nls file to a .dll file, then drops the file in the system folder. It is detected as Trojan:Win32/BHO.DP using one of the following file names:

<system folder>\aatl.dll

<system folder>\apcuups.dll

<system folder>\atmliib.dll

<system folder>\cfgmmgr32.dll

<system folder>\cmutiil.dll

<system folder>\comsnnap.dll

<system folder>\d3ddim.dll

<system folder>\deskmonn.dll

<system folder>\dhcpsappi.dll

<system folder>\dimaap.dll

<system folder>\dot3cffg.dll

<system folder>\dpnett.dll

<system folder>\jgsh4000.dll

<system folder>\loadpeerf.dll

<system folder>\mciaavi32.dll

<system folder>\mfc711.dll

<system folder>\msdtcprrx.dll

<system folder>\msjjter40.dll

<system folder>\oleeprn.dll

<system folder>\ossuninst.dll

<system folder>\perfneet.dll

<system folder>\rasmaans.dll

<system folder>\usrvooica.dll

<system folder>\wmeerrenu.dll

<system folder>\wmpcorre.dll

<system folder>\wupss.dll

Downloads arbitrary files

TrojanDownloader:Win32/Regonid.B may attempt to connect to a remote server and download arbitrary files to "C:\recycler\<random four-digit hex number>.tmp". The following are some of the URLs used:

affiliateonline.net/images/lagEX<removed>
affiliateonline.net/images/lagfB<removed>
albertfischer.net/blog/wp-admin/images/fadetE4<removed>
albertfischer.net/blog/wp-admin/images/fadetpc<removed>
albertfischer.net/blog/wp-admin/images/fadetVH<removed>
albertfischer.net/blog/wp-admin/images/fadetVk<removed>
bostonforfamilies.com/images/1591145361pc<removed>
brandonvolleyball.com/wp-includes/images/imageGw<removed>
buxr.com/images/yellcloseVH<removed>
canopian.com/templates/bluearmor/images/feadns<removed>
canopian.com/templates/bluearmor/images/feadzK<removed>
coolbuddy.com/imgs/cool-mag2f<removed>
coolbuddy.com/imgs/cool-magA3<removed>
coolbuddy.com/imgs/cool-magpc<removed>
coolbuddy.com/imgs/cool-magX2<removed>
dianarae.net/bojangles/images/metstripEX<removed>
dianarae.net/bojangles/images/metstripGw<removed>
dianarae.net/bojangles/images/metstripVH<removed>
drift411.com/images/videos_03ns<removed>
drift411.com/images/videos_03qL<removed>
drift411.com/images/videos_03sL<removed>
drift411.com/images/videos_03XY<removed>
f8f8.com/images/sirl9P<removed>
forthevicar.com/piclens/pictures/images/good0llE4<removed>
forthevicar.com/piclens/pictures/images/good0llGw<removed>
freeplaynow.com/images/mak39P<removed>
freeplaynow.com/images/mak3ns<removed>
freeplaynow.com/images/mak3sL<removed>
freeplaynow.com/images/mak3XY<removed>
harrypotterspage.com/wp/wp-content/uploads/dhmovse3VH<removed>
harrypotterspage.com/wp/wp-content/uploads/dhmovse3Vk<removed>
hotgamestown.com/images/tog57<removed>
hotgamestown.com/images/togns<removed>
hotgamestown.com/images/togpc<removed>
img.tomsgames.com/screenshots/l4692f<removed>
img.tomsgames.com/screenshots/l469ns<removed>
img.tomsgames.com/screenshots/l469pc<removed>
img.tomsgames.com/screenshots/l469sL<removed>
img.tomsgames.com/screenshots/l469X2<removed>
img.tomsgames.com/screenshots/l469XY<removed>
ineedfile.com/images_new/mainGw<removed>
ineedfile.com/images_new/mainVk<removed>
mattpelc.com/images/image2f<removed>
mattpelc.com/images/imageqL<removed>
mattpelc.com/images/imagezK<removed>
mikemclin.com/images/mm_graphic2f<removed>
mikemclin.com/images/mm_graphicpc<removed>
mikemclin.com/images/mm_graphiczK<removed>
modamag.com/wpelifB<removed>
playitontheweb.com/images/ticpc<removed>
playitontheweb.com/images/ticXY<removed>
playitontheweb.com/images/ticzK<removed>
rehab-loan.com/wp-admin/images/screenE4<removed>
rehab-loan.com/wp-admin/images/screenfB<removed>
rehab-loan.com/wp-admin/images/screenVk<removed>
revnes.com/JagWIRE-DEV/img/invistEX<removed>
snesracing.com/images/beatlinkA3<removed>
snesracing.com/images/beatlinkah<removed>
snesracing.com/images/beatlinkXY<removed>
straight2dvdmovies.com/wp-content/themes/church_30/images/kssEX<removed>
swapboats.com/common/imagelib/b532Vk<removed>
thinkingofrob.com/wp-content/uploads/2010/01/5l357175E4<removed>
thinkingofrob.com/wp-content/uploads/2010/01/5l357175fB<removed>
thinkingofrob.com/wp-content/uploads/2010/01/5l357175Vk<removed>
voltaik.com/misc/protal9P<removed>
voltaik.com/misc/protalns<removed>
voltaik.com/misc/protalX2<removed>
voltaik.com/misc/protalXY<removed>
wayneslegion.com/a_data/imageqL<removed>
wayneslegion.com/a_data/imageX2 <removed>
webcaranguejo.net/site/images/images9P<removed>
webcaranguejo.net/site/images/imagesA3<removed>
webcaranguejo.net/site/images/imagesns<removed>
webcaranguejo.net/site/images/imagespc<removed>
webcaranguejo.net/site/images/imagesqL<removed>
wetlime.com/pics/imagessL<removed>
whiteminaret.com/wp-admin/images/wpspin_vsA3<removed>

Analysis by Hyun Choi

Last update 23 April 2012

TOP

Malware :

Last 20

Family:

TrojanDownloader:Win32/Regonid.B