SecurityHome.eu Trojan:W32/BotVoice.A

Home / malware PDF

Trojan:W32/BotVoice.A

First posted on 11 July 2007.
Source: SecurityHome
Aliases :
Trojan:W32/BotVoice.A is also known as Trojan.Botvoice, TROJ_BOTVOICE.A.
Explanation :
This Trojan removes program associations for several file types preventing these files from opening. It also makes use of the Microsoft Text-To-Speech (TTS) technology to play a text message as its payload.

Execution and Installation

Upon execution, this destructive Trojan drops the following file:

C:Documents and Settings[User Profile]Application DataMicrosoftSpeechFilesUserLexiconsSP_[random].dat

This non-malicious file is used as part of the Trojan's payload.

It then modifies the following registry keys:

HKEY_CLASSES_ROOTJSFileShellOpenCommand
HKEY_CLASSES_ROOTVBSFileShellOpenCommand
HKEY_CLASSES_ROOTatfileshellopencommand
HKEY_CLASSES_ROOTcomfileshellopencommand
HKEY_CLASSES_ROOTexefileshellopencommand
HKEY_CLASSES_ROOThtmfileshellopencommand
HKEY_CLASSES_ROOThtmlfileshellopencommand
HKEY_CLASSES_ROOTjpgfileshellopencommand
HKEY_CLASSES_ROOTmp3fileshellopencommand
HKEY_CLASSES_ROOTpiffileshellopencommand

By replacing the default values with the following string:

":: Win32Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

Note: These registry keys may be added if they currently do not exist in the system.

The above modifications disable program associations for the following file types preventing the proper execution of such files:

BAT
COM
EXE
HTM
HTML
JPG
JS
MP3
PIF
VBS

It also modifies the default value of following registry key:

HKEY_CLASSES_ROOTserviceCLSID
[Default] = ":: Win32Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

The Trojan sets the following registry entries to disable Task Manager and Registry Editor:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
"DisableRegistryTools" = "1"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
"DisableTaskMgr" = "1"

By default these values are not present, in which case they are added by the Trojan.

The Trojan then terminates the following processes:

explorer.exe
msnmsgr.exe

File Deletion

The Trojan then attempts to delete all the files in the following directory:

[System Root Directory]
[Windows Directory]ServicePackFilesi386
[Windows Directory]$NtServicePackUninstall$

As well as all the files under the following user directories:

My Video
My Pictures
My Music
My Documents
Desktop

The location of these folders are derived under the following registry key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders

If a restricted or protected file is encountered, the deletion routine stops for that specific directory.

Payload

The Trojan uses the Microsoft Text-To-Speech (TTS) technology to play the following text:

You has been infected I repeat You has been infected and your system files has been deletes. Sorry Have a Nice Day and bye bye

The Trojan also displays a message box if it is being debugged:

Title: Bea TkMmMmMmM
Message: I ProMise ... I Will Love YoU AlWayS BEa!

Last update 11 July 2007

TOP

Trojan:W32/BotVoice.A

Aliases :

Explanation :

Malware :

Family: