Home / malware

PDF

Backdoor:Win32/Prisos.A

First posted on 04 October 2019.
Source: Microsoft

Aliases :

Backdoor:Win32/Prisos.A is also known as Troj/Agent-ICR, Trojan.Generic.153545, Trojan-Spy.Win32.TianYan.b.

Explanation :

Win32/Prisos.A is a destructive trojan that has been distributed as a 40,960-byte executable. The trojan's code is not packed or encrypted. This trojan may slow down an affected system's performance and render it unbootable. InstallationWhen executed, Win32/Prisos.A checks if the trojan's file name is cleanmg.exe. It also checks for the presence of the following registry key:HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA If only one of these conditions is met, the trojan executes its payload (see below for additional detail). If both conditions are met the trojan checks if the file size is exactly 40,960 bytes. If the trojan file is not consistent with this file size, the payload is executed. Otherwise, if the file name is not cleanmg.exe and the ProgarmFilesA registry key is not found the trojan installs itself to the affected system. It copies itself to cleanmg.exe and sets the registry to run this copy on every system boot:Adds value: winlogon
With data: "cleanmg.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun  It also creates and sets the following key to NONE and exits:HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA Note that HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA being set to NONE or TRUE is one of the aforementioned preconditions that will execute the payload. The file name used by the trojan, 'cleanmg.exe', has presumably been chosen so that the trojan may attempt to masquerade as the legitimate cleanmgr.exe program, normally found in the . Note the difference in the icons as well as the date modified of both files in the image below:  If the trojan's file name is cleanmg.exe and the HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA key is set to NONE, the trojan enters  an endless loop, scanning the names of open windows. If a name is found to contain one of the following strings the trojan terminates the program by issuing a "close window" message: WINDOWS TASK MANAGERREGISTRYANTIHIJACKSPYWARESYSTEM CONFIGURATION UTILITYZONEDR.WEBSMARTDEFENSE Note that if the trojan finds WINDOWS TASK MANAGER it attempts to clear the list of applications displayed by the Task Manager before terminating the Task Manager itself. This is done in an attempt to thwart the possibility of detecting the trojan process should the attempt to terminate the WINDOWS TASK MANAGER fail.  The trojan also counts the number of times certain applications are executed and if it exceeds a predefined number the trojan executes a payload. For instance Win32/Prisos.A will tolerate the appearance of REGISTRY and SYSTEM CONFIGURATION UTILITY window names no more than once before proceeding and executing the payload. If the window name contains "(" followed by ":)" than the trojan assumes that it is a file explorer window and proceeds to extract the drive letter from the window text.    If the drive letter references a fixed or a removable type the trojan recursively scans for the file 'nemesis.exe' skipping the SYSTEM, SYSTEM32, PROGRAM FILES, WINDOWS, DOCUMENTS AND SETTINGS folders. Once found it checks if the resource section contains the string "[N]emesis v03" . If found the trojan overwrites the file 'nemesis.exe' with a copy of itself and changes the file's attributes to HIDDEN and SYSTEM. This is most probably aimed at disabling the remote access tool 'Nemesis'. This is not necessarily an anti-competitive measure, it well may be an "all traces" clean up before the payload is executed. Payload Renders System UnbootableThe trojan attempts to change the attributes of the files C:oot.ini and C:NTDETECT.COM to ARCHIVE and NORMAL and then delete them. The removal of these files should render the system unbootable on the next attempted reboot.  Analysis by Oleg Petrovsky

Last update 04 October 2019

 

TOP