Home / malware

PDF

Trojan.Harnig.WA

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Harnig.WA is also known as Virus.Win32.Xorer.dr, Trojan.Hunder.origin, W32.Pagipef.I!inf Win32/Xorer.

Explanation :

Upon execution the malware creates the following files:

%sysdir%comsmss.exe
%sysdir%comlsass.exe
%sysdir%com
etcfg.000
%sysdir%com
etcfg.dll

These files have the hidden attribute and the malware resets the following registry key so that they are invisible in explorer:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden

The file netcfg.dll is registered using the following registry entries:

HKCRTypeLib{814293BA-8708-42E9-A6B7-1BD3172B9DDF}
HKCRInterface{AAC17985-187F-4457-A841-E60BAE6359C2}
HKCRInterface{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
HKCRCLSID{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
HKCRCLSID{D9901239-34A2-448D-A000-3705544ECE9D}


In order to spread, the malware copies itself to the root of installed drives by the name of pagefile.pif and creates an AUTORUN.INF entry which references this file.

The process smss.exe creates an instance of iexplore.exe which accesses html pages from locations such as:
w.c0????m/r.htm
w.c0????m/favicon.ico

These pages contain instructions which are interpreted by netcfg.dll.

The process lsass.exe listens on UDP ports (1035, 1036) and tryes to connect to xf.k0???2.com.

lsass.exe and smss.exe monitor each other, so if one process is killed, the other restarts it.

Last update 21 November 2011

 

TOP