Home / malware Trojan:Win32/Holwen.A
First posted on 29 October 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Holwen.A.
Explanation :
Trojan:Win32/Holwen.A is a trojan that may arrive through spammed email messages. It may arrive disguised as a screensaver. It contacts various websites and may download additional files in the computer.
Top
Trojan:Win32/Holwen.A is a trojan that may arrive through spammed email messages. It may arrive disguised as a screensaver. It contacts various websites and may download additional files in the computer. InstallationTrojan:Win32/Holwen.A may be hosted in a remote server, and a link to it may be included in spammed email messages. The email message may be similar to the following: Subject: HappyHalloweenBody: Dear all, I will probably go to a Halloween costume party. I made a screensaver about last year. Is so funny! http://www.morescreen.net/downloads/holidays/Halloween.zip Wishing you a happy Halloween! When run, Trojan:Win32/Holwen.A creates the following files in the %TEMP% folder:<system folder>\test.scr - a clean screensaver file <malware file> - contains the main payload, also detected as Trojan:Win32/Holwen.A Both of these files are then run. The screensaver opens and may mislead the user into thinking that nothing malicious is happening in the computer. It may appear as the following: The screensaver may contain the following image: When the main payload detected as Trojan:Win32/Holwen.A is run, it creates the mutex "LoadLibraryEx2". It also copies itself as the following files:%windir%\Installer\g542ct.msi <system folder>\perlctf.exe <system folder>\dllcache\iju87ct.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It also creates the following registry keys and entries as part of its installation process: In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6E37E50D-84D8-55C0-9FBF-D86D2AEC6995}Sets value: "StubPath"With data: "perlctf.exe"Sets value: "@"With data: "Microsoft VM"Sets value: "ComponentID"With data: "JAVAVM"Sets value: "Version"With data: "5,1,3802,0" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECDRVSets value: "NextInstance"With data: "0x00000001" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECDRV\0000Sets value: "Class"With data: "LegacyDriver"Sets value: "ClassGUID"With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"Sets value: "ConfigFlags"With data: "0x00000000"Sets value: "DeviceDesc"With data: "Secdrv"Sets value: "Legacy"With data: "0x00000001"Sets value: "Service"With data: "Secdrv" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECDRV\0000\ControlSets value: "*NewlyCreated*"With data: "0x00000000"Sets value: "ActiveService"With data: "Secdrv" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Secdrv\EnumSets value: "0"With data: "Root\LEGACY_SECDRV\0000"Sets value: "Count"With data: "0x00000001"Sets value: "NextInstance"With data: "0x00000001" Payload Modifies Internet settingsTrojan:Win32/Holwen.A may change the computer's Internet Connection settings: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsSets value: "DefaultConnectionSettings"With data: "<malware data>" Connects to certain websitesTrojan:Win32/Holwen.A may open Internet Explorer and connect to the following websites:free.coffeelauch.com firehappy.sytes.net Once connected, it may send information about the infected computer, such as the computer name and IP address, and the user name of the currently logged-on user. It may also download arbitrary files from these websites.
Analysis by Patrik VicolLast update 29 October 2010
