Trojan-Downloader:W32/Streedom.A arrives to the system as an embedded binary executable file from within a malicious .RTF file, which is detected as Trojan:W97M/Streedom.A.

Upon execution of the embedded file, it will drop a copy of itself in the following path and file name:

• %sysdir%linkuyy.exe

To enable automatic execution upon boot up, Trojan-Downloader:W32/Streedom.A adds the following auto start registry entry:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  linkyuu = %sysdir%linkuyy.exe
  

Trojan-Downloader:W32/Streedom.A creates this file and then deletes it again:

• c:ali.html

Note: this is a hard coded string

Trojan-Downloader:W32/Streedom.A uses the default Internet Browser installed on the system to download Trojan-Dropper:W32/Streedom.A. In order to do this, it creates a process for the browser and then injects itself. Afterwards, it will remotely trigger a thread that contains the main payload, which is the download routine.

Trojan-Downloader:W32/Streedom.A will only start downloading if an Internet Connection is available. Internet availability is checked by establishing a connection to the following site:

• http://www.google.com

If an Internet connection is unavailable, it will infinitely try establishing a connection every 10000 ms or 10 seconds.

Here is the URL from where it downloads Trojan-Dropper:W32/Streedom.A:

• http://www.nightcrossings.com/g[REMOVED]/inv.exe

The downloaded file is saved and executed in the following path and filename:

• %windir% nc.exe

The creator of this malware uses message boxes to debug this program.

This message box for instance, shows up when it fails to launch a process of the default browser:



Here are more of the other message boxes:











This malware has been packed with FSG 2.0.

Last update 30 March 2007

 

TOP