Your essential free software toolbox

SHARE
THIS ON

Trojan.Fotomoto.E

HIGH

aprox 100 kb

()

Symptoms

Presence of a key named "DomainService" in "HKLM\Sytem\CurentControlSet\Services".
Appearance of a process with rights as a system service with the description "DDC".

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

Trojan.Fotomoto.E is an trojan with adware components, monitoring popup activity.
If installed the malware performs the following actions on your computer:

a) It works with random named files in “%windows%\temp” directory and connects to a internet server and reports some basic informations about your computer which are stored in a database on that server ( 23.244.141.*** ).

b) It modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"SFCDisable" = "4"

This will stop the Windows File Protection from giving notification on replacement of system files or building a log for events.

c) If creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService\db_number

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService\domains_list

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService\installation_id

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService\internal_affiliate_id

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService\next_url_post_time

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService\user_id

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\Description with value “DomainService”

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\DisplayName with value “DomainService”

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\ErrorControl

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\FailureActions

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\ImagePath with the value of the executed malware

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\ObjectName

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\Start

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\Type

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService\Security

d) It creates a process that runs as a service which creates an event that in case its process is closed it restarts itself thus changing it’s process ID.

e) It downloads another malware in “%Temp%\aupddc.exe” and puts it into “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key. So it’s executed when Windows starts.