Home / malwarePDF  

TrojanDropper:Win32/Ropest.A


First posted on 05 November 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDropper:Win32/Ropest.A.

Explanation :

Threat behavior

Installation

We have seen this threat installed by exploits such as CVE-2014-0569.

TrojanDroper:Win32/Ropest.A drops an executable file to %APPDATA%\Microsoft\Windows\IEUpdate.

It uses a file name randomly selected from the files under the directory, for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

On 32 bit system, the dropped file is detected as Trojan:Win32/Ropest.G. On 64 bit system, it is detected as Trojan:Win64/Ropest.G.

It modifiees multiple system settings to make sure the dropped executable is run. For example:

In subkey: HKEY_CURRENT_USER\Control Panel\Desktop
Sets value: "SCRNSAVE.EXE"
With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Command Processor
Sets value: "Autorun"
With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "Run"
With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "" for example "blastcln"
With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "" for example "blastcln"
With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

Payload

Drops other malware

This threat installs other malware from the Win32/Ropest family.



Analysis by Chun Feng

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
    • In subkey: HKEY_CURRENT_USER\Control Panel\Desktop
      Sets value: "SCRNSAVE.EXE"
      With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe
    • In subkey: HKEY_CURRENT_USER\Software\Microsoft\Command Processor
      Sets value: "Autorun"
      With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe
    • In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      Sets value: "Run"
      With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe
    • In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "" for example "blastcln"
      With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe
    • In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
      Sets value: "" for example "blastcln"
      With data: "", for example %APPDATA%\Microsoft\Windows\IEUpdate\blastcln.exe

Last update 05 November 2014

 

TOP

Malware :

Family: