Home / malware

PDF

Trojan:Win32/Opachki.F

First posted on 20 September 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Opachki.F is also known as Trojan.Win32.Scar.crgi (Kaspersky), Trojan horse SHeur3.AXEM (AVG), TR/Scar.crgi (Avira), Win32/Zbot.M!generic (CA), Trojan-Downloader.Win32.Carberp (Ikarus), Trj/Downloader.MDW (Panda), Trojan.Win32.Generic!SB.0 (Sunbelt Software).

Explanation :

Trojan:Win32/Opachki.F is a backdoor that modifies a number of system settings, and periodically attempts to download and execute arbitrary files.
Top

Trojan:Win32/Opachki.F is a backdoor that modifies a number of system settings, and periodically attempts to download and execute arbitrary files. Installation When run, Trojan:Win32/Opachki.F copies itself as a hidden system file to <system file>\ntdevice.exe and %USERPROFILE%\userinit.exe. Some variants may also drop a DLL to %USERPROFILE%\pizda_ntload.dll. It sets the creation time, last access time, and last modification time of these files to have the same values as those of the operating system file at <system file>\kernel32.dll. It then launches a copy of one of these copies. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It also creates the following registry entries to ensure that the malware runs at each system start: To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "rundll32" With data: "<system file>\ntdevice.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "rundll32" With data: "%USERPROFILE%\userinit.exe" To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: "shell" With data: "explorer.exe <system file>\ntdevice.exe" Trojan:Win32/Opachki.F may periodically attempt to rewrite these copies and registry entries if one or more is deleted. Payload Modifies system settings The trojan runs multiple instances of the reg.exe utility in order in an attempt to remove settings that are used when the computers started in Safe Mode, by making the following registry changes: Deletes key: HKLM\System\CurrentControlSet\Control\Safeboot Deletes key: HKLM\System\ControlSet001\Control\Safeboot Deletes key: HKLM\System\ControlSet002\Control\Safeboot Trojan:Win32/Opachki.F disables the LUA (Least Privileged User Account), also known as the €œadministrator in Admin Approval Mode€ user type, by making the following registry modification: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Sets value: "EnableLUA" With data: "0" It may attempt to stop the Windows Security Center from monitoring the affected user's antivirus application: To subkey: HKLM\SOFTWARE\Microsoft\Security Center Sets value: "AntiVirusOverride" With data: "1" To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc Sets value: "AntiVirusOverride" With data: "1" Trojan:Win32/Opachki.F may attempt to stop the Windows Security Center from monitoring the firewall by making the following registry modifications: To subkey: HKLM\SOFTWARE\Microsoft\Security Center Sets value: "FirewallOverride" With data: "1" To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc Sets value: "FirewallOverride" With data: "1" It may attempt to disable firewall notifications from the Windows Security Center: To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc Sets value: "FirewallDisableNotify" With data: "1" Trojan:Win32/Opachki.F may attempt to stop the Windows Security Center from displaying security alert notifications by making the following registry modifications: To subkey: HKLM\SOFTWARE\Microsoft\Security Center Sets value: "UacDisableNotify" With data: "1" To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc Sets value: "UacDisableNotify" With data: "1" It may also attempt to stop the Windows Security Center from displaying automatic alerts: To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc Sets value: "UpdatesDisableNotify" With data: "1" Removes system restore points Trojan:Win32/Opachki.F attempts to remove all previous system restore points and therefore prevent the system from being restored to a pre-infection state. Backdoor functionality The malware periodically contacts a remote server, which may issue it with one or more commands. These commands may include: €¢ Download an arbitrary file to the %TEMP% directory, and execute it €¢ Change the interval between attempts to contact the backdoor€™s server €¢ Change the decryption key for downloaded commands Variants of Trojan:Win32/Opachki have been observed downloading components of the Win32/Alureon family, malware that attempts to steal the user€™s FTP passwords, and fake antivirus software such as Rogue:Win32/FakeRean. When first contacting the server, the malware may send various items of system information, such as the computer name, locations of various directories, and version numbers of the operating system and Internet Explorer. Examples of servers used at the time of publication include the following:

Justslonka.com

Sweetcandy.biz

Osdad.com

Blader1.co.cc

Blader2.co.cc

Dscodec.com

Additional information The malware may store configuration information in some of the following files in the %USERPROFILE% directory:

pizda_cz.dat

pizda_bkurl.dat

pizda_dnsh.dat

And in the following registry value: HKCU\Software\Microsoft\adver_id

Analysis by David Wood

Last update 20 September 2010

 

TOP