Home / malwarePDF  

Trojan:Win32/Locotout.gen!A


First posted on 10 May 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Locotout.gen!A is also known as Backdoor.Win32.Agent.bwqq (Kaspersky), W32/Suspicious_Gen2.RLJII (Norman), Trojan horse BackDoor.Agent.ANRA (AVG), Trojan.Siggen3.14603 (Dr.Web), Win32/SpamTool.Agent.NFD (ESET), TROJ_SPNR.0CKG11 (Trend Micro).

Explanation :



Installation

Trojan:Win32/Locotout.gen!A makes the following registry modifications:

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdobeTM5
Sets value: "DisplayName"
With data: "AdobeTM5"

Sets value: "ImagePath"
With data: "<malware path>"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADOBETM5\0000
Sets value: "Class"
With data: "LegacyDriver"

Sets value: "Legacy"
With data: "0x00000001"

These modifications make the trojan look like a legitimate software driver.

Payload

Connects to a remote host

This trojan connects to the following remote server to download spam templates and distribution lists:

  • doremifas.com/ <removed>/index.php


At the time of analysis this website was no longer available.

Sends spam emails

Trojan:Win32/Locotout.gen!A uses Simple Mail Transfer Protocol (SMTP) to send out spam emails. The content of this spam is based on templates and lists it receives from a remote server. Depending on the instructions from the remote server, the spam may be used to distribute other malware.

The subject, body and contents of the spam email change and can be updated at any time. We have seen this trojan send spam emails with content of an illicit nature.

This trojan can have more than one spam campaign running at the same time.

To send spam emails the trojan uses your computer to connect to one of the following SMTP servers:

  • mail.schoolrx.org
  • mail.scibank.com
  • mail.scicable.com
  • mail.scottyzee.com
  • mail.scpfc.org
  • smtp.colba.net
  • smtp.colegiosanpatricio.cl
  • smtp.comcast.net
  • smtp.commercialokc.com
  • smtp.core.com
  • smtp.cornerstonevc.com
  • smtp.corsum.com
  • smtp.coson.com
  • smtp.externet.hu
  • smtp.interia.eu
  • smtp.interia.pl
  • smtp.kingwoodcable.net
  • smtp.mediaserv.net
  • smtp.netzero.com
  • smtp.netzero.net
  • smtp.nexus.hu
  • smtp.yeah.net
  • smtp.yellville.net




Analysis by Alden Pornasdoro.

Last update 10 May 2013

 

TOP

Malware :

Family: