Home / malwarePDF  

Trojan:Win32/Mincinas.A


First posted on 02 November 2011.
Source: SecurityHome

Aliases :

Trojan:Win32/Mincinas.A is also known as Trojan.MulDrop3.8118 (Dr.Web), Backdoor.Win32.Farfli (Ikarus), Generic.grp!cb (McAfee), Backdoor.Ripinip (Symantec).

Explanation :

Trojan:Win32/Mincinas.A is a trojan that injects payload code into other processes. The payload code is commonly stored on the affected computer as an encrypted file.


Top

Trojan:Win32/Mincinas.A is a trojan that injects code into other processes. The code is commonly stored on the affected computer as an encrypted file.



Installation

This trojan is installed by a dropper, detected as Trojan:Win32/Mincinas.A and may be present as files in the Windows system folder and Temporary Internet Files folder, as in the following examples:

  • %TEMP%\tmp7.tmp
  • %TEMP%\tmp8.tmp
  • <system folder>\classic.fon
  • <system folder>\luna.fon


It modifies the system registry so that its dropped files are registered as services:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters
Sets value: "ServiceDll"
With data: "%TEMP%\<malware file name>"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver
Sets value: "ImagePath"
With data: "%TEMP%\tmp8.tmp"

In subkey: HKLM\System\CurrentControlSet\Services\Redirection
Sets value: "ImagePath"
With data: "%TEMP%\tmp8.tmp"

The trojan is launched by the malware dropper by executing the following command line instruction:

net start IpFilterDriver

When the trojan executes, it reads data from the registry subkey to identify an installed and encrypted binary file:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
Data: "Plus"
Value: "<system folder>\Luna.fon"

Trojan:Win32/Mincinas.A decrypts the binary file and injects its contents, which include payload instructions, into specified processes.



Payload

Communicates with a remote server
Trojan:Win32/Mincinas.A modifies the local firewall policy by adding an exception for certain ports, as in the following example:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
Sets value: "List"
With data: "1043:TCP:<original data>"

The trojan gathers the following types of information about the affected computer and sends this to a remote server using SSL:

  • MAC address
  • Hard drives or SCSI devices installed
  • Operating system version


In the wild, this trojan was observed to communicate with a server named "look.com".



Analysis by Vincent Tiu

Last update 02 November 2011

 

TOP

Malware :

Family: