Home / malware Trojan.Venik
First posted on 02 October 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Venik.
Explanation :
Once executed, the Trojan creates the following files:
%SystemDrive%\[FIVE RANDOM LETTERS]\[SEVEN RANDOM LETTERS].[THREE RANDOM LETTERS][PATH TO MALWARE]\lang.ini
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EvtMgr" = "[PATH TO MALWARE]"
If the following file is found on the compromised computer, the Trojan will not continue with its installation:
%SystemDrive%\test.1
If the following mutex is found on the compromised computer, the Trojan will not continue with its installation:
M142.0.137.66:3201
The Trojan then creates the following mutex so that only one instance of the threat executes on the computer:
M142.0.137.66:3201
If [PATH TO MALWARE]\ReadMe.txt is not present, the Trojan ends and deletes the module of any process listening on UDP port 53.
The Trojan then creates the following files:
[PATH TO MALWARE]\ReadMe.txt%SystemDrive%\wiseman.exe
The Trojan then gathers the following information from the compromised computer:
CPU nameOperating system versionRAM sizeMalware versionLanguage setting
The Trojan sends the gathered information to the following remote location:
142.0.137.66:3201
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Download and execute filesDownload and install a file as a serviceShut down the compromised computerRestart the compromised computerClose connectionsUpdate the Trojan
Next, the Trojan may connect to the following remote locations:
[http://]142.0.137.68:804//joy.asp[REMOVED][http://]142.0.137.68:803//joy.asp[REMOVED]
The Trojan modifies the host file on the compromised computer to redirect traffic from the following legitimate domains:
www.shinhan.com.orsearch.daum.netsearch.naver.comwww.kbstar.com.orwww.knbank.vo.kropenbank.cu.vo.krwww.busanbank.vo.krwww.nonghyup.com.orwww.shinhan.ccmwww.wooribank.com.orwww.hanabank.ccmwww.epostbank.go.kr.orwww.ibk.co.kr.orwww.ibk.vo.krwww.keb.co.kr.orwww.kfcc.co.kr.orwww.lottirich.co.irwww.nlotto.co.irwww.gmarket.netnate.comwww.nate.comdaum.comwww.daum.netdaum.netwww.zum.comzum.comnaver.comwww.nonghyup.comwww.naver.comwww.nate.nethanmail.netwww.hanmail.netwww.hanacbs.comwww.kfcc.co.krwww.kfcc.vo.krwww.daum.netdaum.netwww.kbstir.comwww.nonghuyp.comwww.shinhon.comwww.wooribank.comwww.ibk.co.krwww.epostbenk.go.krwww.keb.co.krwww.citibank.co.kr.orwww.citibank.vo.krwww.standardchartered.co.kr.orwww.standardchartered.vo.krwww.suhyup-bank.com.orwww.suhyup-bank.comwww.kjbank.com.orwww.kjbank.comopenbank.cu.co.kr.oropenbank.cu.co.krwww.knbank.co.kr.orwww.knbank.co.krwww.busanbank.co.kr.orwww.busanbank.co.irwww.suhyup-bank.comwww.suhyup-bank.ccmwww.standardchartered.co.kr
Requests to any of the listed domains are redirected to the following remote location:
121.2.97.99
Note: The remote location and the redirected domains can be changed by the attacker.
The Trojan also searches for and attempts to delete the following legitimate files:
ASDSvc.exeV3Lite.exe%SystemDrive%\1.vbs
Once the files are no longer present on the compromised computer, the Trojan connects to the following command-and-control (C&C) server:
[http://]142.0.137.67:805/inde[REMOVED]
The Trojan then searches %ProgramFiles% for files containing the following string:
NKPI
It then uploads any files it finds to the C&C server.
If the Trojan determines that it is not running in a virtual machine, it creates the following mutex:
0x5d65r455f
The Trojan then connects to the following remote location to receive additional C&C server locations:
[http://]blog.sina.com.cn/u/56550[REMOVED]Last update 02 October 2015
