Home / malwarePDF  

Trojan:Win32/Omexo.C


First posted on 09 April 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Omexo.C is also known as TR/Vundo.Gen (AVG), Win32/Ambler.CU (CA), W32/W.B (Norman), AdWare.Win32.Vundo.d (Rising AV), Mal/Scribble-D (Sophos), Trojan.Peed.OP (VirusBuster).

Explanation :

Trojan:Win32/Omexo.C is a detection of trojan that steals credentials and damages user's computer. It also downloads and executes files from remote server.
Top

Trojan:Win32/Omexo.C is a detection of trojan that steals credentials and damages user's computer. It also downloads and executes files from remote server. InstallationTrojan:Win32/Omexo.C can be injected into the running Windows system process "services.exe" by the malware Trojan:WinNT/Omexo.D without creating or dropping the trojan file to the local drive. Trojan:Win32/Omexo.C may intercept several Windows system APIs for all user-mode processes to perform the following actions:

  • log various authorizations (FTP, NNTP, POP3, HTTP POST)
  • log names of Windows executable files downloaded via Web browsers
  • block and redirect any Web pages to a predefined Web address, such as "eef795a4eddaf1e7bd79212acc9dde16.net"
  • Payload Connects to remote serverWhen run within the Windows system process "services.exe", Trojan:Win32/Omexo.C contacts a remote server (such as "eef795a4eddaf1e7bd79212acc9dde16.net") to report its installation infection. Performs arbitrary actionsWhile connected to the remote server, the trojan may retrieve commands. Depending on the commands received, the trojan may perform the following actions: Update its driver Download and execute arbitrary files Destroy data on the local drive (such as erase the MBR of the system drive, deletes all files in system partition) Terminate processes including smss.exe csrss.exe lsass.exe winlogon.exe services.exe Collect and upload various sensitive information such as the following: data logged by API hooks, browser cookies and credential stored by browsers including Internet Explorer, Firefox and Opera credentials stored by Windows Protected Storage running processes list screenshots detailed system information and TCP activities

    Analysis by Shawn Wang

    Last update 09 April 2010

     

    TOP