Trojan.Pandex.AC

SYMPTOMS:

Increased network activity.

TECHNICAL DESCRIPTION:

It is also known as:
"Trojan.Kobcka.x", where "x" represents the version.

Based on the OS version it can drop the following files:

%SystemRoot%\System32\drivers\runtime.sys
%SystemRoot%\System32\drivers\secdrv.sys
%SystemRoot%\System32\drivers\ip6fw.sys (owerwrites the original one in Windows XP)
%SystemRoot%\System32\drivers\netdtect.sys

which it registers as services by adding to the registry the following subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ip6fw
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netdtect

The RootKit components are used to bypass the windows firewall (on the 25, 80, 1000 and 3000 ports) and to hide its presence to the registry and disk.

It creates a dummy process by loading:
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
and then overwrites the process memory with his own malicious code in order to hide itself from the user.

The malware contains strings that are encrypted by XOR method with a key having 16 bytes.

This injected code then download another files from the following IP adresses:

75.125.207.50
75.125.207.82
207.218.237.82
74.53.251.34
208.66.195.71

The downloaded files are saved to the following paths:
%SystemRoot%\System32\(random string)9_exception.nls
%Temp%\(random number).exe

The downloaded file is used for relaying/sending SPAM e-mails.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Marusceac Claudiu Florin, virus researcher