Home / malwarePDF  

TrojanDropper:Win32/Machime.A


First posted on 12 November 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Machime.A is also known as Dropper/InfoStealer.143360 (AhnLab), Trojan-Downloader.Win32.PowerPointer.b (Kaspersky), Trojan.DL.PowerPointer.G (VirusBuster), TR/Spy.WMach (Avira), Win32/Gosht.DI (CA), Trojan.DownLoad.59060 (Dr.Web), Trojan-Downloader.Win32.PowerPointer (Ikarus).

Explanation :

TrojanDropper:Win32/Machime.A is a detection for malware that may be downloaded and executed in a computer by malware detected as Exploit:Win32/Pdfheap.A. In turn, it drops another malware detected as Trojan:Win32/Trooti.
Top

TrojanDropper:Win32/Machime.A is a detection for malware that may be downloaded and executed in a computer by malware detected as Exploit:Win32/Pdfheap.A. In turn, it drops another malware detected as Trojan:Win32/Trooti. Installation TrojanDropper:Win32/Machime.A may be downloaded and executed in a computer by a file detected as Exploit:Win32/Pdfheap.A. if the computer is vulnerable to the software vulnerability described in CVE-2009-1862. The vulnerability affects Adobe Reader and Acrobat versions 9.1.2 and earlier, and Adobe Flash Player 9.0.159.0 earlier and 10.0.22.87 and earlier. It is caused by the mishandling of SWF files inside a PDF file, and may allow a remote attacker to execute arbitrary code, including downloading and executing malware. TrojanDropper:Win32/Machime.A removes itself from the computer once it has performed its malicious routine. Payload Drops other malware TrojanDropper:Win32/Machime.A drops and installs the following file: %windir%\ime\wmimachine2.dll - detected as Trojan:Win32/Trooti It installs the dropped DLL as a Windows NT service by creating the following registry entries: In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4 Sets value: "NextInstance" With data: "dword:00000001" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000 Sets value: "Service" With data: "6to4" Sets value: "Legacy" With data: "dword:00000001" Sets value: "ConfigFlags" With data: "dword:00000000" Sets value: "Class" With data: "LegacyDriver" Sets value: "ClassGUID" With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" Sets value: "DeviceDesc" With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control Sets value: "*NewlyCreated*" With data: "dword:00000000" Sets value: "ActiveService" With data: "6to4" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4 Sets value: "Type" With data: "dword:00000020" Sets value: "Start" With data: "dword:00000002" Sets value: "ErrorControl" With data: "dword:00000001" Sets value: "ImagePath" With data: "%SystemRoot%\\system32\\svchost.exe -k netsvcs" Sets value: "DisplayName" With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86" Sets value: "ObjectName" With data: "LocalSystem" Sets value: "Description" With data: "Microsoft .NET Framework NGEN" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters Sets value: "ServiceDll" With data: "%windir%\ime\wmimachine2.dll" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Security Sets value: "Security" With data: "hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00," In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum Sets value: "0" With data: "Root\LEGACY_6TO4\0000" Sets value: "Count" With data: "dword:00000001" Sets value: "NextInstance" With data: "dword:00000001" Connects to remote servers TrojanDropper:Win32/Machime.A attempts to access certain websites to send information about the infected computer. Removes installed componentThis trojan deletes the installed component "wmimachine.dll" by creating registry data. In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session ManagerSets value: "PendingFileRenameOperations"With data: "\\??\\%windir%\\ime\\wmimachine.dll"

Analysis by Rex Plantado

Last update 12 November 2010

 

TOP