Home / malware Trojan.Cidox.E
First posted on 13 October 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cidox.E.
Explanation :
Once executed, the Trojan drops a copy of itself to the following location:
%UserProfile%\Application Data\BackUp[VOLUME SERIAL NUMBER].exe
The Trojan creates the folloiwng files:
%Temp%\NTFS.sys%Temp%\L[VOLUME SERIAL NUMBER]%System%\BOOT.dat (Trojan.Carberp.C)
The Trojan then drops the following legitimate files, which it uses as components and then deletes:
%Temp%\contig.exe%Temp%\myfault.sys
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"BackUp[VOLUME SERIAL NUMBER]" = "%UserProfile%\Application Data\BackUp[VOLUME SERIAL NUMBER].exe"
The Trojan also creates the following regsistry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BS[VOLUME SERIAL NUMBER]\"DisplayName" = "BS[VOLUME SERIAL NUMBER]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BS[VOLUME SERIAL NUMBER]\"ImagePath" = "%Temp%\NTFS.sys"HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\B[VOLUME SERIAL NUMBER]\"LP" = "%Temp%\L[VOLUME SERIAL NUMBER]"HKEY_CURRENT_USER\Software\Sysinternals\C\"EulaAccepted" = "1"
The Trojan then opens a back door on the compromised computer and connects to one or more of the following command-and-control (C&C) servers:
[http://]mediavvads.uk/cgi-bin/200415/post[REMOVED][http://]romnsiebabanahujtr.org/cgi-bin/150915/post[REMOVED][http://]eliteswingersclub852.com/cgi-bin/020715/post[REMOVED]
The Trojan then gathers the following information from the compromised computer and sends it to the C&C server:
Malware IDOperating system versionOperating system architectureFile system used on compromised computerComputer ID [VOLUME SERIAL NUMBER]Current date and timeProcess IDParent process IDParent process nameCurrent malware directoryCurrent user nameInformation on running processes
The Trojan also checks running process for strings related to security software and reports them to the C&C server.
The Trojan also assigns the compromised computer a rating based on several factors such as whether or not it is being debugged or if it is running inside VMware or VirtualPC.
Next, the Trojan modifies the NTFS boot sector's Initial Program Loader (IPL) in order to load malicious code directly from disk.
Note: The modified IPL is detected as Boot.Cidox
The Trojan will not infect the IPL if one of the following conditions are met:
The computer is encrypted by VeraCrypt, TrueCrypt, or BitLockerThe operating system is Windows Server 2008 or Windows Server 2008 R2
The Trojan may also download potentially malicious files onto the compromised computer.Last update 13 October 2015