Home / malware Win32.Trafrox
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Trafrox.
Explanation :
When executed the virus starts decrypting its code. It then copies the decrypted executable to %windir%system32Services.exe. From now on the execution of the virus continues from there.
When the virus from %windir%system32 gets execute it gets the path of the system folder (the system32 folder) and the current user name. Using the first four letters of the user name, the virus creates a string that is crypted with the letters “trfx”(using xor). It then copies the virus executable to that folder and to the windows directory and marks the new folder as hidden.
It then tests to see if the file that is running is called updater.exe. If it’s not it verifies that the file is running from windows folder.
If the virus runs currently from the %system% folder or some folder inside %system%, then the virus checks for the existence of the file from the newly created folder and modifies the section names (using random numbers). If the file doesn’t exist it copies it there. After that is done, it starts the process from the newly created folder and depending on a random number it may display one of the messages
“You are not allowed to run this program without administrator privilege.”
“Not enough privilege to run this program.”
“Administrator privilege needed to run this program.”
“Program cannot run without administrator right.”
After all files are copied or modified, the virus start creating a registry value with the name “services” in HKLMSoftwareMicrosoftWindowsCurrentVersionRun. Using these value, the virus will run at windows startup.
From now on, the execution is spitted in four threads:
The first thread is meant to protect the virus. The thread starts by enumerating all processes. If it finds a process that contains one of the strings enumerated below in its path, then depending on a random number, the virus may delete the file or may corrupt it by inserting the following string: “.This file was hacked by: tr4f0x.A - IVS - Indonesian Virus Society.”
debug
ccapp
cclaw
scan
avlite
avup
AVSYNMGR
AVWUPD32
AVXQUAR
navw32
guard
secure
security
center
kick
hijack
iknow
hacker
anti
avengine
pavprsrv
pavsrv51
apvxdwin
LordPE
griso
firewa
sysinter
procexp
The second thread is meant to infect files on the computer and on the network.
The virus starts by enumerating all drives and for each drive it finds (starting from the last one in alphabetic order) it enumerates the files. To not make the user suspicious, the virus only searches for files at every 0.666 seconds. If it finds an executable file it tests to see if the file contains one of the following strings:
inst
unin
wise
vise
setup
dele
master
sfx
If it does, the file will be ignored.
After the virus does some simple tests to see if the file to be infected is not protected or packed, the virus writes its code at the end of the original file, and modifies the header of the original file so the execution starts from the virus code.
The third thread is meant to update the virus.
At every 10 seconds the virus gets the current time and checks to see if the hour is one 1,5,6,9 or 12. If it is, the virus starts searching for the existence of files from a previous update: updater.exe, x0f4rt.xe and x0f4rt.de. If it finds any of these files, it deletes them.
It then checks at every 10 seconds to see if the computer is connected to the internet. If it is, the virus sets as user agent the path to the executable from the folder created in system32 and it tries to download a file from one of the addresses listed below and saves it under the name x0f4rt.de. It then crypts it and saves it under the name x0f4rt.xe and copies the crypted file under the name updater.exe and starts it.
http://indonesian[hidden].cjb.net/indonesianvxzone.jpg
http://[hidden].cjb.net/vaksin.jpg
http://[hidden].cjb.net/34refds.jpg
http://[hidden].cjb.net/43ti45s.jpg
The fourth and the last thread, is a flooder. Using the ping command, the virus 66 bytes of data to the following ips:
www.lc.[hidden].id
202.[hidden].81.1 to 202.[hidden].81.60Last update 21 November 2011
