Win32/Chinoxy [Threat Name] go to Threat

Win32/Chinoxy.E [Threat Variant Name]

Category trojan
Size 106496 B
Detection created Jun 15, 2015
Signature database version 11788
Aliases Trojan.Win32.Chinoxy.a (Kaspersky)
  BackDoor.Dklkt.3 (Dr.Web)
Short description

Win32/Chinoxy.E is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %temp%\­wumsvc1.cc3
  • %temp%\­NetInst.exe
  • %temp%\­server.dll
  • %temp%\­ndispacket.sys
  • %temp%\­ndispacket.inf
  • %windir%\­Inf\­ndispacket.inf

The trojan registers itself as a system service using the following name:

  • Desktop Agent

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Nwsapagent]
    • "Config" = "a2lzc3Uud2FpaGFoYS5jb206NDQzfDo4MHw6ODB8fGh0dHA6Ly9ibG9nLnNpbmEuY29tLmNuL3MvYmxvZ19lOTdmYmY2YjAxMDFxMGMwLmh0bWw"
    • "Description" = "NetMeeting Remote Desktop Agent"
    • "DisplayName" = "Desktop Agent"
    • "DllName" = "server.dll"
    • "ErrorControl" = 1
    • "Group" = "GG"
    • "ImagePath" = "%systemroot%\­System32\­svchost.exe -k netsvcs"
    • "ObjectName" = "LocalSystem"
    • "PassWord" = "123"
    • "Remark" = ""
    • "Start" = 2
    • "Type" = 272
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Nwsapagent\­Parameters]
    • "ServiceDll" =  "%temp%\­service.dll"
    • "ServiceMain" = "%variable%"

A string with variable content is used instead of %variable% .


After the installation is complete, the trojan deletes the original executable file.


The following files are deleted:

  • %temp%\­wumsvc1.cc3
Information stealing

The trojan collects the following information:

  • computer name
  • user name
  • CPU information
  • information about the operating system and system settings
  • installed Microsoft Windows patches
  • memory status
  • computer IP address

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (4) URLs. The HTTP, TCP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.