SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Antavmu.B

MEDIUM
MEDIUM
133 KB
(VirTool:Win32/CeeInject.gen!AA, Win32:Muldrop-BH)

Symptoms

The following files are present after infection:

  • "%appdata%\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
  • "%appdata%\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\desktop.ini"

The file "desktop.ini" has the following structure, which enables the containing folder to have a deceiving recycle bin type icon:

  • [.ShellClassInfo]
  • CLSID={645FF040-5081-101B-9F08-00AA002F954E}

Another visible symptom is the sudden termination of antiviruses, firewalls or diverse process and file monitoring software.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Bogdan Sachelarie, virus researcher

Technical Description:

The malware creates a hidden folder "%appdata%\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\" where it copies the original malware as "winlogon.exe" and it triggers it's execution.

The original malware executable is afterwards deleted. Two threads are created which try to terminate processes that might impair the virus' activity. Some examples are:

  • "F-PROT.EXE","PUSCAN.EXE","NSUTILITY.EXE",
  • "KAVSTART.EXE","UPDATE.EXE","FILEMONSV.EXE"
  • "NOD32KRN.EXE","LORDPE.EXE","PROCDUMP.EXE",etc.

The virus makes use of named mutexes ("fTs0SAP2fZCeUpaog", ...) to check it's in-memory status from different potential concurrent threads.

It also contains protection mechanisms against debugging and virtual machine emulation. The virus writes the memory of "explorer.exe", where it creates a remote thread, which reloads the malware if it's terminated.

The trojan opens a communication port (60500) and attempts to send packages and receive commands from the following IRC hostnames:

  • s0ur***********r.net
  • jeste***********.net
  • nig************.com

Registry operations:

"HKCU+HKLM\Software\Microsoft\ActiveSetup\Installed Components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}"

  • StubPath -> "C:\Documents and Settings\njimko\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"

"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

  • ClassicViewState -> 0x00000001
  • Hidden -> 0x00000002
  • ShowSuperHidden -> 0x00000000
  • SuperHidden -> 0x00000000

"HKCU+HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

  • NoFolderOptions -> 0x00000001
  • NoRun -> 0x00000001

"HKCU+HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"

  • Windows Login Assistance -> "C:\Documents and Settings\njimko\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
  • all other programs are removed from the startup registry

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"

  • DisableSR -> 0x00000001
  • DisableConfig -> 0x00000001

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"

  • DisableCMD -> 0x00000001
  • DisableRegistryTools -> 0x00000001
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources