Home / malware TrojanDownloader:Win32/Peguese.D
First posted on 28 March 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Peguese.D.
Explanation :
TrojanDownloader:Win32/Peguese.D is a trojan that downloads and executes arbitrary files from a certain website.
Top
TrojanDownloader:Win32/Peguese.D is a trojan that downloads and executes arbitrary files from a certain website.
Installation
Upon execution, TrojanDownloader:Win32/Peguese.D checks if the default language of the affected computer is Portuguese (Brazil). If this is not the default language, it exits and deletes itself.
If it is the default language, TrojanDownloader:Win32/Peguese.D drops a copy of itself as the file "%AppData%\<computer name>by.exe". It then runs its dropped copy, then deletes itself.
It then creates the following registry entries, which enable its dropped files (see the Payload section below) to run every time Windows starts:
In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "pjct1"
With data: "%AppData%\pjct1.cpl"
In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "pjct4"
With data: "%AppData%\pjct4.cpl"
In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "pjct6"
With data: "C:\x<computer name>\pjct6.exe"
In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "<computer name>.lnk" - points to "%AppData%\pjct4.cpl"
With data: "%AppData%\<computer name>.lnk"
where "C:\x<computer name>" is a hidden folder.
It also connects to "techgood.net" to notify a remote attacker of its successful installation.
Payload
Downloads other malware
TrojanDownloader:Win32/Peguese.D downloads the following files from "techgood.net":
- pjct1.jpg - detected as TrojanSpy:Win32/Banker.AFE; saved as "%AppData%\pjct1.cpl"
- pjct2.jpg - detected as TrojanSpy:Win32/Banker.AEZ; saved as "%AppData%\pjct2.cpl"
- pjct3.jpg - detected as TrojanSpy:Win32/Banker.ABR; saved as the browser helper object (BHO) "C:\%AppData%\java.dll"
- pjct4.jpg - detected as TrojanSpy:Win32/Banker.AFA; saved as "%AppData%\pjct4.cpl"
- pjct6.jpg - detected as Trojan:Win32/Msposer.A; saved as "C:\x<computer name>\pjct6.exe"
It then runs the .CPL files by running the following command:
RunDLL32.exe Shell32.DLL, Control_RunDLL C:\%AppData\<file name>.cpl
It also runs the "C:\%AppData%\java.dll" BHO by running the following command:
regsvr32 /s "%AppData%\java.dll
Additional information
TrojanDownloader:Win32/Peguese.D creates an "%AppData%\ID" file containing the string "techgood.net/v14/muta32/infect/inf2/".
Analysis by Stefan Sellmer
Last update 28 March 2012