Home / malwarePDF  

TrojanDownloader:Win32/Peguese.D


First posted on 28 March 2012.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Peguese.D.

Explanation :

TrojanDownloader:Win32/Peguese.D is a trojan that downloads and executes arbitrary files from a certain website.


Top

TrojanDownloader:Win32/Peguese.D is a trojan that downloads and executes arbitrary files from a certain website.



Installation

Upon execution, TrojanDownloader:Win32/Peguese.D checks if the default language of the affected computer is Portuguese (Brazil). If this is not the default language, it exits and deletes itself.

If it is the default language, TrojanDownloader:Win32/Peguese.D drops a copy of itself as the file "%AppData%\<computer name>by.exe". It then runs its dropped copy, then deletes itself.

It then creates the following registry entries, which enable its dropped files (see the Payload section below) to run every time Windows starts:

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "pjct1"
With data: "%AppData%\pjct1.cpl"

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "pjct4"
With data: "%AppData%\pjct4.cpl"

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "pjct6"
With data: "C:\x<computer name>\pjct6.exe"

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "<computer name>.lnk" - points to "%AppData%\pjct4.cpl"
With data: "%AppData%\<computer name>.lnk"

where "C:\x<computer name>" is a hidden folder.

It also connects to "techgood.net" to notify a remote attacker of its successful installation.



Payload

Downloads other malware

TrojanDownloader:Win32/Peguese.D downloads the following files from "techgood.net":

  • pjct1.jpg - detected as TrojanSpy:Win32/Banker.AFE; saved as "%AppData%\pjct1.cpl"
  • pjct2.jpg - detected as TrojanSpy:Win32/Banker.AEZ; saved as "%AppData%\pjct2.cpl"
  • pjct3.jpg - detected as TrojanSpy:Win32/Banker.ABR; saved as the browser helper object (BHO) "C:\%AppData%\java.dll"
  • pjct4.jpg - detected as TrojanSpy:Win32/Banker.AFA; saved as "%AppData%\pjct4.cpl"
  • pjct6.jpg - detected as Trojan:Win32/Msposer.A; saved as "C:\x<computer name>\pjct6.exe"


It then runs the .CPL files by running the following command:

RunDLL32.exe Shell32.DLL, Control_RunDLL C:\%AppData\<file name>.cpl

It also runs the "C:\%AppData%\java.dll" BHO by running the following command:

regsvr32 /s "%AppData%\java.dll

Additional information

TrojanDownloader:Win32/Peguese.D creates an "%AppData%\ID" file containing the string "techgood.net/v14/muta32/infect/inf2/".



Analysis by Stefan Sellmer

Last update 28 March 2012

 

TOP

Malware :

Family: