Home / malwarePDF  

Trojan:BAT/Stratork.M


First posted on 21 February 2013.
Source: Microsoft

Aliases :

Trojan:BAT/Stratork.M is also known as Trojan-Downloader.BAT.Banload.t (Kaspersky), TR/Offend.7016163.1 (Avira), BAT/Proxy.NAJ trojan (ESET), Trojan-Downloader.BAT.Banload (Ikarus).

Explanation :



Installation

Trojan:BAT/Stratork.M may have the file name "%temp%\mrtstub.exe". It changes your computer's registry so that it automatically runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft - Malicious Removal Tool"
With data: "%temp%\mrtstub.exe"

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".



Payload

Connects your computer through its own proxy server

Trojan:BAT/Stratork.M checks if your computer is connected to the Internet. It does this by trying to connect to "www.google.com.br". If the connection fails, it sleeps for five minutes and then tries again. It sleeps using a script named "C:\t<first two letters of your user name>.vbs".

If it confirms that your computer is connected to the Internet, Trojan:BAT/Stratork.M downloads a file named "%AppData%\KB_<first two letters if your user name>.dat" from the server "avast.0u7l00k3xpr355.com". In other variants, it gets a file named "%temp%\%computername%.txt" from the main executable.

Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".

This file contains details about a proxy server that Trojan:BAT/Stratork.M changes your Internet Explorer proxy server setting to. It does this by changing the following registry entries:

In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigUrl"
With data: "file://%AppData%/KB_<first two letters of your user name>.dat" or "%temp%\%computername%.txt"

It also makes the following changes, if you have Firefox installed:

Changes your Firefox proxy server by adding the following lines to the file "prefs.js":
user_pref("network.proxy.autoconfig_url", file://%AppData%\KB_<first two letters of your user name>.dat")[or "%temp%\%computername%.txt"];
user_pref("network.proxy.type", 2);

Prevents you from changing Firefox proxy server settings by adding the following lines to the file "mozilla.cfg":
lockPref("network.proxy.autoconfig_url", file://%AppData%\KB_<first two letters of your user name>.dat); [or "%temp%\%computername%.txt"]
lockPref("network.proxy.type", 2);

If you're visiting a website containing any of the following strings in the URL, it redirects your session through the proxy server. One known proxy server is "oi.proxysegura.com" through port 3128:

  • american
  • bancodobrasil
  • banese
  • banespa
  • banrisul
  • bb
  • bnb
  • br
  • bradesco
  • caixa
  • cef
  • cetelem
  • citibank
  • com
  • hotmail
  • hsbc
  • infoseg
  • intouch
  • itau
  • linhadefensiva
  • pagseguro
  • paypal
  • real
  • safra
  • santander
  • santanderempresarial
  • securessl
  • serasa
  • sicredi
  • tam.com


Changes browser settings

Trojan:BAT/Stratork.M makes the following changes, if you have Internet Explorer or Firefox installed:

Turns off warnings in Internet Explorer for certificates issued by non-trusted authorities:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnonBadCertRecving"
With data: "0"

It also disables warnings for content within your Intranet connection by setting the following registry value:
In subkey: HKU\<user ID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "WarnOnIntranet"
With data: "0"

Changes Firefox auto-update and proxy server settings by adding the following lines to the file "mozilla.cfg":
lockPref("app.update.auto",false);
lockPref("app.update.enabled", false);

Trojan:BAT/Stratork.M adds websites from the domain ".com.br" with the following format in its URL to the Trusted Domains list in Internet Explorer:

  • *.bb
  • *.itau
  • *.hsbc
  • *.bradesco
  • *.santander
  • *.santanderempresarial


Changes computer settings

Trojan:BAT/Stratork.M makes the following security changes in your computer:

Disables the Least User Access (LUA) feature, which means you are no longer notified if a program tries to install another program, or make changes to your computer:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

Disables System Restore:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"

This malware grants all permissions to all applications running Java by adding the following file to the "java.policy" security configuration file:
grant { permission java.security.AllPermission;};

Additional information

Trojan:BAT/Stratork.M checks to see if it had previously infected your computer. If it is infecting your computer for the first time, if sends your user name and computer name to the remote server "redit.0u7l00k3xpr355.com" or "redir.marcandobrasils.com.br".



Analysis by Daniel Chipiristeanu

Last update 21 February 2013

 

TOP

Malware :

Family: