Home / malwarePDF  

TrojanDownloader:Win32/Remetrac.A


First posted on 18 June 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Remetrac.A is also known as Also Known As:Trojan.Win32.Agent.axon (Kaspersky), Mal/Inet-Fam (Sophos), Trojan horse Agent.ATVE (AVG), Trojan:Win32/Remetrac.A (other).

Explanation :

TrojanDownloader:Win32/Remetrac.A is a trojan that connects to certain Web sites to download other files, which may be malware.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of any of the following files:
    %ProgramFiles%Windows media playerctfmon.exe
    %windir%smss.exe
    <system folder>driverssvchost.exe
    <system folder>mscon.exe
    <system folder>promoz.exe
  • The presence of the following registry modifications:
    Added value: "Userinit"
    With data: "<system folder>userinit.exe,%ProgramFiles%Windows media playerctfmon.exe,"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    Added value: "smss"
    With data: "%windir%smss.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Added value: "Userinit"
    With data: "<system folder>userinit.exe,<system folder>driverssvchost.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    Added value: "mscon"
    With data: "<system folder>mscon.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Added value: "promoz"
    With data: "<system folder>promoz.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun


    • TrojanDownloader:Win32/Remetrac.A is a trojan that connects to certain Web sites to download other files, which may be malware.

    Installation
    When run, TrojanDownloader:Win32/Remetrac.A copies itself using a variety of file names, for example:
  • %ProgramFiles%Windows media playerctfmon.exe
  • %windir%smss.exe
  • <system folder>driverssvchost.exe
  • <system folder>mscon.exe
  • <system folder>promoz.exe
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Note that some of the file names it may use are also used by legitimate Windows files but are located in different folders. For example, the Windows files 'ctfmon.exe', 'smss.exe', and 'svchost.exe' are located by default in the Windows syste folder. It modifies the following registry entries so that its copy runs every time Windows starts, for example: Adds value: "Userinit"
    With data: "<system folder>userinit.exe,%ProgramFiles%Windows media playerctfmon.exe,"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "smss"
    With data: "%windir%smss.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "Userinit"
    With data: "<system folder>userinit.exe,<system folder>driverssvchost.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "mscon"
    With data: "<system folder>mscon.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "promoz"
    With data: "<system folder>promoz.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Payload
    Downloads other filesTrojanDownloader:Win32/Remetrac.A downloads other files, which may be malware, from certain Web sites. These sites may vary from sample to sample. Some of the sites that it is known to download files from are the following:
  • crisis1s.com
  • lite-corp.net


    • Analysis by Tim Liu

    Last update 18 June 2009

     

    TOP

    Malware :

    Family: