Home / malwarePDF  

Trojan:Win32/Claretore.gen!A


First posted on 06 March 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Claretore.gen!A is also known as W32/Suspicious_Gen4.FODP (Norman), Trojan.DR.Injector!kJysQl/Ol0Q (VirusBuster), Trojan horse Dropper.Generic5.ZMQ (AVG), TR/Crypt.XPACK.Gen (Avira), Trojan.Heur2.LVP.fmKfamr52@f (BitDefender), Trojan.Inject.62720 (Dr.Web), Win32/Agent.TFL trojan (ESET), Trojan-Downloader.Win32.Claretore (Ikarus), Trojan-Dropper.Win32.Injector.cjvc (Kaspersky).

Explanation :

Trojan:Win32/Claretore.gen!A is a generic detection for a trojan that injects malicious code into Windows processes, and may potentially monitor the affected user's activity and send stolen information to a remote website.


Top

Trojan:Win32/Claretore.gen!A is a generic detection for a trojan that injects malicious code into Windows processes, and may potentially monitor the affected user's activity and send stolen information to a remote website.



Installation

When run, it drops a copy of itself to the %USERPROFILE% folder using a randomly-generated file name based on the affected computer's information (for example, volume information, computer name, user name, etc), with 'hidden' and 'system' attributes. Then it renames itself to %Temp%\<random>.tmp folder using random file name, which will be deleted after the installation.

It then modifies the registry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update Server"
With data: "%USERPROFILE%\<random>.exe"

It may delete itself after installation using MoveFileEx() API that effectively modifies the following registry entry:

In subkey: HKLM\Machine\System\CurrentControlSet\Control\Session Manager
Sets value: "PendingFileRenameOperations"
With data: "%Temp%\<random>.tmp"

It creates several threads to monitor and protect changes in its components such as registry entries and file components by calling RegNotifyChangeKeyValue() and ReadDirectoryChangesW() APIs.



Payload

Injects code

Trojan:Win32/Claretore.gen!A injects code to explorer.exe and one or more of the following system processes:

  • csrss.exe
  • winlogon.exe
  • services.exe
  • lsass.exe
  • svchost.exe
Additional information

The malware code suggests that it could potentially monitor user's activity and send stolen information to a remote site for other malicious purposes. Trojan:Win32/Claretore.gen!A may contact the following remote websites for that purpose:

  • fra07s07-in-f108.com
  • hardymaster999.com
  • powerdsuite13.com
  • stronggzt-sentinel.com
  • ty120e-terav.com




Analysis by Rex Plantado

Last update 06 March 2012

 

TOP

Malware :

Family: