Home / malware TrojanDownloader:Win32/Remetrac.A
First posted on 18 June 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Remetrac.A is also known as Also Known As:Trojan.Win32.Agent.axon (Kaspersky), Mal/Inet-Fam (Sophos), Trojan horse Agent.ATVE (AVG), Trojan:Win32/Remetrac.A (other).
Explanation :
TrojanDownloader:Win32/Remetrac.A is a trojan that connects to certain Web sites to download other files, which may be malware.
Symptoms
System changesThe following system changes may indicate the presence of this malware:The presence of any of the following files:
%ProgramFiles%Windows media playerctfmon.exe
%windir%smss.exe
<system folder>driverssvchost.exe
<system folder>mscon.exe
<system folder>promoz.exeThe presence of the following registry modifications:
Added value: "Userinit"
With data: "<system folder>userinit.exe,%ProgramFiles%Windows media playerctfmon.exe,"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Added value: "smss"
With data: "%windir%smss.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Added value: "Userinit"
With data: "<system folder>userinit.exe,<system folder>driverssvchost.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Added value: "mscon"
With data: "<system folder>mscon.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Added value: "promoz"
With data: "<system folder>promoz.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
TrojanDownloader:Win32/Remetrac.A is a trojan that connects to certain Web sites to download other files, which may be malware.
Installation
When run, TrojanDownloader:Win32/Remetrac.A copies itself using a variety of file names, for example:%ProgramFiles%Windows media playerctfmon.exe %windir%smss.exe <system folder>driverssvchost.exe <system folder>mscon.exe <system folder>promoz.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Note that some of the file names it may use are also used by legitimate Windows files but are located in different folders. For example, the Windows files 'ctfmon.exe', 'smss.exe', and 'svchost.exe' are located by default in the Windows syste folder. It modifies the following registry entries so that its copy runs every time Windows starts, for example: Adds value: "Userinit"
With data: "<system folder>userinit.exe,%ProgramFiles%Windows media playerctfmon.exe,"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "smss"
With data: "%windir%smss.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "Userinit"
With data: "<system folder>userinit.exe,<system folder>driverssvchost.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "mscon"
With data: "<system folder>mscon.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "promoz"
With data: "<system folder>promoz.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Payload
Downloads other filesTrojanDownloader:Win32/Remetrac.A downloads other files, which may be malware, from certain Web sites. These sites may vary from sample to sample. Some of the sites that it is known to download files from are the following:crisis1s.com lite-corp.net
Analysis by Tim LiuLast update 18 June 2009