1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Downloader:W32/Injecter.GX

Name : Trojan-Downloader:W32/Injecter.GX
Size:21504
Category:Malware
Type:Trojan-Downloader
Platform:W32
Date of Discovery:February 27, 2008

Summary

Injecter.GX is a trojan-downloader.

A trojan-downloader is usually a standalone program that attempts to silently download and run other files from remote Web and FTP sites.

Disinfection

Additional Details

Injecter.GX attempts to downloads files from:

  •  http://88.255.[Removed]/e521.gif
  •  http://88.255.[Removed]/e514.gif
  •  http://88.255.[Removed]/e509.gif

It drops the downloaded files to the following location:

  •  %windir%\system32\cdmk.dll
  •  %temp%\dm4.exe

Injecter.GX also drops a DLL file from itself to the default temp folder which uses a name of tmp2.tmp. The file appears to be the downloader component itself.

The malware also creates a temp file called _vdmstmsnd_.dat.

It also attempts to send out information by performing the following command:

  •  HTTP GET http://85.255.[Removed]/count.php?u=346&e=521&r=1

It searches for a process named teatimer.exe. It will attempt to terminate the process if discovered.

The malware uses a mutex named STDP117.

To ensure that the malware starts with Windows, it copies the malware file to:

  •  C:\Documents and Settings\All Users\Start Menu
    \Programs\Startup\msupd[number].exe

Note: [number] is random.

The malware creates the following registry entries:

  •  HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID
    UID = 6727150054040000de564349
    (Seems to be some kind of hash of the victim's computer.)
    UID2 = trojan.exe
    (Filename of the malware on execution.)
  •  HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID\set
    thPCvzSYyScLKSRaW3l3jquJRD382MNqz3P4yEfx = "mult"
    thPCvzSYyScLKSRaW3l3jquJRD382MNqzHb4yEfx = "mult"
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    \Session Manager PendingFileRenameOperations ="
    \??\C:\Samples\trojan.exe.1
    \??\C:\Documents and Settings\All Users\Start Menu\
    Programs\Startup\msupd43616.exe"

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2008-02-27_01.