Home / malwarePDF  

Trojan.Pandex.AC


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Pandex.AC.

Explanation :

It is also known as:
"Trojan.Kobcka.x", where "x" represents the version.

Based on the OS version it can drop the following files:

%SystemRoot%System32drivers
untime.sys
%SystemRoot%System32driverssecdrv.sys
%SystemRoot%System32driversip6fw.sys (owerwrites the original one in Windows XP)
%SystemRoot%System32drivers
etdtect.sys

which it registers as services by adding to the registry the following subkeys:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
untime
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessecdrv
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesip6fw
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
etdtect

The RootKit components are used to bypass the windows firewall (on the 25, 80, 1000 and 3000 ports) and to hide its presence to the registry and disk.

It creates a dummy process by loading:
%ProgramFiles%Internet ExplorerIEXPLORE.EXE
and then overwrites the process memory with his own malicious code in order to hide itself from the user.

The malware contains strings that are encrypted by XOR method with a key having 16 bytes.

This injected code then download another files from the following IP adresses:

75.125.207.50
75.125.207.82
207.218.237.82
74.53.251.34
208.66.195.71

The downloaded files are saved to the following paths:
%SystemRoot%System32(random string)9_exception.nls
%Temp%(random number).exe

The downloaded file is used for relaying/sending SPAM e-mails.

Last update 21 November 2011

 

TOP