Home / malwarePDF  

Trojan.Asterope


First posted on 16 July 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Asterope.

Explanation :

When the Trojan is executed, it creates the following files:
%Temp%\tmp[RANDOM CHARACTER].exe%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\[RANDOM FILE NAME].lnk%UserProfile%\Start Menu\Programs\Startup\[RANDOM FILE NAME].lnk
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipShadow\"DefaultValue" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipShadow\"DefaultApplied" 0x00000065HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipShadow\"random value" [BINARY DATA]
The Trojan modifies the following registry entries:
HKEY_CURRENT_USER\Control Panel\Desktop\"SCRNSAVE.EXE" "\%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\"""HKEY_CURRENT_USER\Software\Microsoft\Command Processor\"AutoRun" "\%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\"""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM FILE NAME]" "\%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\"""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"[RANDOM FILE NAME]" "\%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\"""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"Run" "\%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\"""HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\"GlobalUserOffline" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" 0x00000001HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"2500" 0x00000003HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2500" 0x00000003HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"2500" 0x00000003HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1601" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1A05" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" 0x00000003HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1402" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1601" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A02" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A03" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A05" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A06" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"2500" 0x00000003HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1400" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\"GlobalUserOffline" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" 0x00000001HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"2500" 0x00000003HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2500" 0x00000003HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"2500" 0x00000003HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1601" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1A05" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" 0x00000003HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1400" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1402" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1601" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A02" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A03" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A05" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1A06" 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"2500" 0x00000003HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"{A8A88C49-5EB2-4990-A1A2-0876022C854F}" [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"{AEBA21FA-782A-4A90-978D-B72164C80120}" [BINARY DATA]
The Trojan may attempt to access the following IP address:
146.185.220.23

The Trojan may access the following locations to download a configuration file:
[http://]195.20.141.71:[RANDOM PORT NUMBER]/getC[REMOVED][http://]195.20.141.72:[RANDOM PORT NUMBER]/getC[REMOVED][http://]195.20.141.73:[RANDOM PORT NUMBER]/getC[REMOVED][http://]195.20.141.74:[RANDOM PORT NUMBER]/getC[REMOVED]
The Trojan may create the following mutexes:
shell.[COMPUTER SPECIFIC VALUE]ASTEROPEASTEROPE_CLICKER_MUTEX
The Trojan accesses the configuration file to determine what tasks to perform.

The Trojan may perform the following actions:
Navigate to specific URLsClick specific locationsInstall Macromedia Flash Player

Last update 16 July 2014

 

TOP

Malware :

Family: