Home / malwarePDF  

TrojanDownloader:Win32/Deyjalil.A


First posted on 26 May 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Deyjalil.A is also known as Lilyjade (other).

Explanation :



TrojanDownloader:Win32/Deyjalil.A is a cross-browser plugin used to implement the programming framework called Lilyjade. It takes advantage of the CrossRider JavaScript framework in order to push unwanted content or websites in the infected system.

TrojanDownloader:Win32/Deyjalil.A is used to hijack ads coming from legitimate websites, such as Ebay, Amazon, Blogger, Netflix, Walmart, and Best Buy, and to post messages or other ads to Facebook walls.



Installation

TrojanDownloader:Win32/Deyjalil.A registers its main component as a Browser Helper Object (BHO) in order to automatically execute when Internet Explorer is opened. It adds the following registry keys as part of its installation process:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011<random number>}
Sets value: "(default)"
With any of the following data:

  • "Ad-Killer Pro "
  • "Aqori browser extension"
  • "Facebook Lily System "
  • "FBLIX-SOCIAL "
  • "HD Media Codec "
  • "Timeline Remover "
  • "VideoFileDownload "
  • "Windows Update Add-On "


In subkey: HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110011<random number>}
Sets value: "(default)"
With any of the following data:

  • "Ad-Killer Pro "
  • "Aqori browser extension"
  • "Facebook Lily System "
  • "FBLIX-SOCIAL "
  • "HD Media Codec "
  • "Timeline Remover "
  • "VideoFileDownload "
  • "Windows Update Add-On "


In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011<random number>}
Sets value: "(default)"
With data: "crossriderapp000<random number>"

Note that this registry entry may also be used by legitimate applications using the CrossRider JavaScript framework.

TrojanDownloader:Win32/Deyjalil.A may install itself as a plugin with any of the following files:

  • Windows Update Add-On plugin:
    • %AppData%\Windows Update Add-On\chrome\Windows Update Add-On.crx
    • %ProgramFiles%\Windows Update Add-On\Windows Update Add-On.dll
    • %ProgramFiles%\Windows Update Add-On\Windows Update Add-On.exe
    • %Temp%\Windows Update Add-On.xpi
  • HD Media Codec plugin:
    • %AppData%\HD Media Codec\chrome\HD Media Codec.crx
    • %ProgramFiles%\HD Media Codec\HD Media Codec.dll
    • %ProgramFiles%\HD Media Codec\HD Media Codec.exe
    • %Temp%\HD Media Codec.xpi
  • Ad-Killer Pro plugin:
    • %AppData%\Noads Popup Blocker\chrome\Noads Popup Blocker.crx
    • %ProgramFiles%\Noads Popup Blocker\Noads Popup Blocker.dll
    • %ProgramFiles%\Noads Popup Blocker\Noads Popup Blocker.exe
    • %Temp%\Noads Popup Blocker.xpi
  • Facebook Lily System plugin:
    • %AppData%\Facebook Lily System\chrome\Facebook Lily System.crx
    • %ProgramFiles%\Facebook Lily System\Facebook Lily System.dll
    • %ProgramFiles%\Facebook Lily System\Facebook Lily System.exe
    • %Temp%\Facebook Lily System.xpi


Payload

Opens websites

TrojanDownloader:Win32/Deyjalil.A opens websites that contain ads or surveys, for example:



Runs arbitrary code

TrojanDownloader:Win32/Deyjalil.A runs arbitrary code that it downloads over the Internet. It has been known to connect to the following servers to download code:

  • charzard.in
  • iduomoudi.info
  • inextremi5.com
  • ogkoz.in
  • rhydon.in


Some of the code has been found to be capable of automatically posting messages on Walls of a logged-on user's Facebook friends.



Analysis by Zarestel Ferrer

Last update 26 May 2012

 

TOP