Home / malware Trojan.Antavmu.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Antavmu.B is also known as VirTool:Win32/CeeInject.gen!AA, Win32:Muldrop-BH.
Explanation :
The malware creates a hidden folder "%appdata%S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH" where it copies the original malware as "winlogon.exe" and it triggers it's execution.
The original malware executable is afterwards deleted. Two threads are created which try to terminate processes that might impair the virus' activity. Some examples are:
"F-PROT.EXE","PUSCAN.EXE","NSUTILITY.EXE","KAVSTART.EXE","UPDATE.EXE","FILEMONSV.EXE""NOD32KRN.EXE","LORDPE.EXE","PROCDUMP.EXE",etc.
The virus makes use of named mutexes ("fTs0SAP2fZCeUpaog", ...) to check it's in-memory status from different potential concurrent threads.
It also contains protection mechanisms against debugging and virtual machine emulation. The virus writes the memory of "explorer.exe", where it creates a remote thread, which reloads the malware if it's terminated.
The trojan opens a communication port (60500) and attempts to send packages and receive commands from the following IRC hostnames:
s0ur***********r.netjeste***********.netnig************.com
Registry operations:
"HKCU+HKLMSoftwareMicrosoftActiveSetupInstalled Components{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}"
StubPath -> "C:Documents and Settings
jimkoApplication DataS05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASHwinlogon.exe"
"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced"
ClassicViewState -> 0x00000001Hidden -> 0x00000002ShowSuperHidden -> 0x00000000SuperHidden -> 0x00000000
"HKCU+HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
NoFolderOptions -> 0x00000001NoRun -> 0x00000001
"HKCU+HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"
Windows Login Assistance -> "C:Documents and Settings
jimkoApplication DataS05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASHwinlogon.exe"all other programs are removed from the startup registry
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore"
DisableSR -> 0x00000001DisableConfig -> 0x00000001
"HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem"
DisableCMD -> 0x00000001DisableRegistryTools -> 0x00000001Last update 21 November 2011
