Win32/AntiAV [Threat Name] go to Threat
Win32/AntiAV.NBD [Threat Variant Name]
Category | trojan |
Size | 37888 B |
Aliases | Trojan-Downloader.Win32.Geral.agh (Kaspersky) |
Trojan.Dropper (Symantec) | |
Generic.Dropper!db (McAfee) |
Short description
The trojan tries to download and execute several files from the Internet. The trojan terminates various security related applications. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
- %system%\scvhost.exe (37888 B)
The trojan creates the following files:
- %windir%\tete%random1%t.dll (44688 B)
- %windir%\extext%random2%t.exe (11264 B)
- %system%\drivers\pcidump.sys (11904 B)
- %system%\drivers\aec.sys (2048 B)
- %system%\drivers\asyncmac.sys (2816 B)
The %random1-2% represents a random number.
Installs the following system drivers:
- %system%\drivers\pcidump.sys
- %system%\drivers\aec.sys
- %system%\drivers\asyncmac.sys
The following Registry entries are deleted:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "RsTray" = "%system%\scvhost.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe]
- "360Safebox.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
- "360tray.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
- "AgentSvr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe]
- "antiarp.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
- "avp.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
- "bdagent.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe]
- "ccapp.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
- "CCenter.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe]
- "ccEvtMgr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe]
- "ccSetMgr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
- "ccSvcHst.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe]
- "defwatch.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrUpdate.exe]
- "DrUpdate.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
- "egui.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]
- "ekrn.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe]
- "engineserver.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe]
- "FrameworkService.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe]
- "KavStart.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe]
- "KISSvc.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe]
- "kmailmon.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
- "KPFW32.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
- "KPfwSvc.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
- "KVSrvXP.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
- "KWatch.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe]
- "livesrv.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe]
- "LiveUpdate360.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe]
- "mcagent.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe]
- "mcinsupd.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe]
- "mcmscsvc.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe]
- "mcnasvc.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe]
- "McProxy.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe]
- "mcshell.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe]
- "mcshield.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe]
- "mcsysmon.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe]
- "McTray.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe]
- "mcupdmgr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe]
- "mfeann.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe]
- "mfevtps.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe]
- "MpfSrv.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]
- "MPMon.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]
- "MPSVC.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]
- "MPSVC1.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe]
- "MPSVC2.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe]
- "naPrdMgr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
- "QQDoctor.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe]
- "QQDoctorRtp.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
- "Rav.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
- "RavMon.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
- "RavMonD.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
- "RavStub.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
- "RavTask.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegGuide.exe]
- "RegGuide.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
- "rfwsrv.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
- "RsAgent.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe]
- "rsnetsvr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rssafety.exe]
- "rssafety.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe]
- "RsTray.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe]
- "rtvscan.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
- "safeboxTray.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe]
- "ScanFrm.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe]
- "SHSTAT.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe]
- "udaterui.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uplive.exe]
- "Uplive.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe]
- "vptray.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe]
- "vsserv.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe]
- "vstskmgr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe]
- "xcommsvr.exe" = "svchost.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AEC\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "aec"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AEC\0000]
- "Service" = "aec"
- "Legacy" = 1
- "ConfigFlags" = 0
- "Class" = "LegacyDriver"
- "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc" = "RCT"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AEC]
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASYNCMAC\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "AsyncMac"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASYNCMAC\0000]
- "Service" = "AsyncMac"
- "Legacy" = 1
- "ConfigFlags" = 0
- "Class" = "LegacyDriver"
- "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc" = "RAS Asynchronous Media Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASYNCMAC]
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "pcidump"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000]
- "Service" = "pcidump"
- "Legacy" = 1
- "ConfigFlags" = 0
- "Class" = "LegacyDriver"
- "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc" = "pcidump"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP]
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec\Enum]
- "0" = "Root\LEGACY_AEC\0000"
- "Count" = 1
- "NextInstance" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec\Security]
- "Security" = %hex_value%
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]
- "Type" = 1
- "Start" = 3
- "ErrorControl" = 0
- "ImagePath" = "%system%\drivers\aec.sys"
- "DisplayName" = "RCT"
Information stealing
The trojan collects the following information:
- network adapter information
- malware version
- operating system version
The trojan can send the information to a remote machine. The HTTP protocol is used.
Other information
The trojan terminates processes with any of the following strings in the name:
- .norton2009Reset
- avp
- LIVESRV
- McAfeeEngineService
- McAfeeFramework
- McShield
- McTaskManager
- mfevtp
- MPSVCService
- Norton AntiVirus
- RavCCenter
- RavTask
- RavTray
- RfwCCenter
- RfwService
- RfwTask
- RsRavMon
- RsScanSrv
- scan
- VSSERV
- XCOMM
The trojan launches the following processes:
- cmd /c net stop wscsvc
- cmd /c net stop SharedAccess
- cmd /c sc config sharedaccess start= disabled
- cmd /c cacls %system% /e /p everyone:f
- cmd /c cacls %temp% /e /p everyone:f
- cmd /c sc config KwatchSvc start= disabled
- cmd /c sc config kaccore start= disabled
- cmd /c sc config KISSvc start= disabled
- cmd.exe /c taskkill.exe /im KwatchSvc.exe /f
- cmd.exe /c taskkill.exe /im KwatchSvc.exe /f
- cmd /c sc config ekrn start= disabled
- cmd.exe /c taskkill.exe /im ekrn.exe /f
- cmd.exe /c taskkill.exe /im egui.exe /f
- cmd.exe /c taskkill.exe /im avp.exe /f
- taskkill /f /t /im avp.exe
- sc config avp start= disabled
- %system%\rundll32.exe %windir%\tete%random1%t.dll, testall
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) URLs. It tries to download several files from the addresses.
These are stored in the following locations:
- %filepath%
A string with variable content is used instead of %filepath% .
The files are then executed.
The trojan may create the following files:
- %system%\drivers\12youxllsdfierjiernmnsdf.txt
- %temp%\afc90a.bat