Home / malwarePDF  

Backdoor:Win32/Prisos.A


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Prisos.A is also known as Also Known As:Troj/Agent-ICR (Sophos), Trojan.Generic.153545 (BitDefender), Trojan-Spy.Win32.TianYan.b (Kaspersky).

Explanation :

Win32/Prisos.A is a destructive trojan that has been distributed as a 40,960-byte executable. The trojan's code is not packed or encrypted. This trojan may slow down an affected system's performance and render it unbootable.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>cleanmg.exe
  • The presence of the following registry modification:
    Adds value: winlogon
    With data: "<system folder>cleanmg.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  • Presence of the following registry entry:
    HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA


  • Win32/Prisos.A is a destructive trojan that has been distributed as a 40,960-byte executable. The trojan's code is not packed or encrypted. This trojan may slow down an affected system's performance and render it unbootable.

    Installation
    When executed, Win32/Prisos.A checks if the trojan's file name is cleanmg.exe. It also checks for the presence of the following registry key:HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA If only one of these conditions is met, the trojan executes its payload (see below for additional detail). If both conditions are met the trojan checks if the file size is exactly 40,960 bytes. If the trojan file is not consistent with this file size, the payload is executed. Otherwise, if the file name is not cleanmg.exe and the ProgarmFilesA registry key is not found the trojan installs itself to the affected system. It copies itself to <system folder>cleanmg.exe and sets the registry to run this copy on every system boot:Adds value: winlogon
    With data: "<system folder>cleanmg.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun It also creates and sets the following key to NONE and exits:HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA Note that HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA being set to NONE or TRUE is one of the aforementioned preconditions that will execute the payload. The file name used by the trojan, 'cleanmg.exe', has presumably been chosen so that the trojan may attempt to masquerade as the legitimate cleanmgr.exe program, normally found in the <system folder>. Note the difference in the icons as well as the date modified of both files in the image below: If the trojan's file name is cleanmg.exe and the HKLMSoftwareMicrosoftWindowsCurrentVersionProgramFilesA key is set to NONE, the trojan enters an endless loop, scanning the names of open windows. If a name is found to contain one of the following strings the trojan terminates the program by issuing a "close window" message: WINDOWS TASK MANAGERREGISTRYANTIHIJACKSPYWARESYSTEM CONFIGURATION UTILITYZONEDR.WEBSMARTDEFENSE Note that if the trojan finds WINDOWS TASK MANAGER it attempts to clear the list of applications displayed by the Task Manager before terminating the Task Manager itself. This is done in an attempt to thwart the possibility of detecting the trojan process should the attempt to terminate the WINDOWS TASK MANAGER fail. The trojan also counts the number of times certain applications are executed and if it exceeds a predefined number the trojan executes a payload. For instance Win32/Prisos.A will tolerate the appearance of REGISTRY and SYSTEM CONFIGURATION UTILITY window names no more than once before proceeding and executing the payload. If the window name contains "(" followed by ":)" than the trojan assumes that it is a file explorer window and proceeds to extract the drive letter from the window text. If the drive letter references a fixed or a removable type the trojan recursively scans for the file 'nemesis.exe' skipping the SYSTEM, SYSTEM32, PROGRAM FILES, WINDOWS, DOCUMENTS AND SETTINGS folders. Once found it checks if the resource section contains the string "[N]emesis v03" . If found the trojan overwrites the file 'nemesis.exe' with a copy of itself and changes the file's attributes to HIDDEN and SYSTEM. This is most probably aimed at disabling the remote access tool 'Nemesis'. This is not necessarily an anti-competitive measure, it well may be an "all traces" clean up before the payload is executed.

    Payload
    Renders System UnbootableThe trojan attempts to change the attributes of the files C:oot.ini and C:NTDETECT.COM to ARCHIVE and NORMAL and then delete them. The removal of these files should render the system unbootable on the next attempted reboot.

    Analysis by Oleg Petrovsky

    Last update 04 February 2009

     

    TOP