F-Secure
Tools
Trojan-Downloader:W32/Injecter.GX
Summary
Injecter.GX is a trojan-downloader.
A trojan-downloader is usually a standalone program that attempts to silently download and run other files from remote Web and FTP sites.
A trojan-downloader is usually a standalone program that attempts to silently download and run other files from remote Web and FTP sites.
Disinfection
Additional Details
Injecter.GX attempts to downloads files from:
It drops the downloaded files to the following location:
Injecter.GX also drops a DLL file from itself to the default temp folder which uses a name of tmp2.tmp. The file appears to be the downloader component itself.
The malware also creates a temp file called _vdmstmsnd_.dat.
It also attempts to send out information by performing the following command:
It searches for a process named teatimer.exe. It will attempt to terminate the process if discovered.
The malware uses a mutex named STDP117.
To ensure that the malware starts with Windows, it copies the malware file to:
Note: [number] is random.
The malware creates the following registry entries:
- http://88.255.[Removed]/e521.gif
- http://88.255.[Removed]/e514.gif
- http://88.255.[Removed]/e509.gif
It drops the downloaded files to the following location:
- %windir%\system32\cdmk.dll
- %temp%\dm4.exe
Injecter.GX also drops a DLL file from itself to the default temp folder which uses a name of tmp2.tmp. The file appears to be the downloader component itself.
The malware also creates a temp file called _vdmstmsnd_.dat.
It also attempts to send out information by performing the following command:
- HTTP GET http://85.255.[Removed]/count.php?u=346&e=521&r=1
It searches for a process named teatimer.exe. It will attempt to terminate the process if discovered.
The malware uses a mutex named STDP117.
To ensure that the malware starts with Windows, it copies the malware file to:
- C:\Documents and Settings\All Users\Start Menu
\Programs\Startup\msupd[number].exe
Note: [number] is random.
The malware creates the following registry entries:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID
UID = 6727150054040000de564349
(Seems to be some kind of hash of the victim's computer.)
UID2 = trojan.exe
(Filename of the malware on execution.) - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID\set
thPCvzSYyScLKSRaW3l3jquJRD382MNqz3P4yEfx = "mult"
thPCvzSYyScLKSRaW3l3jquJRD382MNqzHb4yEfx = "mult" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Session Manager PendingFileRenameOperations ="
\??\C:\Samples\trojan.exe.1
\??\C:\Documents and Settings\All Users\Start Menu\
Programs\Startup\msupd43616.exe"
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2008-02-27_01.