Trojan.Downloader.3069.A

HOOG
MEDIUM
133232 bytes unpacked
(TR/Dldr.Agent.3069 Troj/Agent-EL Trojan.Downloader.3069 TROJ_AGENT.GC )

Symptomen

Presence of the following entries in the registry :
  • HKCR\retro64_loader.R64Loader
  • HKCR\retro64_loader.R64Loader.1
  • HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
  • HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
  • HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}

For registry key
HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}, the subkey InProcServer32\(Default) will be set to the full path to the trojan.
For example, one can have
HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}\InProcServer32\(Default) = %Windir%\System32\aaa.dll
where aaa.dll is the Trojan.Downloader.3069.A

NOTE :
  • by HKCR we mean HKEY_CLASSES_ROOT
  • the entries above can be searched for using regedit utility (open Start->Run, type regedit).



Instructies voor verwijdering:


Please boot your machine in Safe Mode and perform the following

 1. Check  the following registry entry (
by using regedit or any registry editing utility) :
  • HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}\InProcServer32\(Default)
It's value represents the full path to the trojan.
Please  delete that file.

 2.Delete the following registry entries (by using regedit or any registry editing utility)

  • HKCR\retro64_loader.R64Loader.1
  • HKCR\retro64_loader.R64Loader
  • HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
  • HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
  • HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}
After these steps, please reboot your machine in Normal mode and perform a full system scan.

Geanalyseerd door

Dan Lutas, virus researcher

Technische beschrijving:

Trojan.Downloader.3069.A is an adware related DLL. To install on the victim computer, it must be called from another application (such as adware). When called for the first time, it registers itself as a COM object by creating the following registry entries :
  • HKCR\retro64_loader.R64Loader.1
  • HKCR\retro64_loader.R64Loader
  • HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
  • HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
  • HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}
Now, any application knowing the CLSID, TypeLib and Interface defined above can access the trojan.
Trojan.Downloader.3069.A can download (on behalf of the application calling it)  files from specific URLs via HTTP on port 80. After the file is downloaded, it's executed on the client's machine.

As such, an application (usualy adware) can download and execute other malware on the client machine by using this trojan.