Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-Downloader:W32/Injecter.GX
[Summary] | [Disinfection] | [Detailed Description] | [Detection]

Name : Trojan-Downloader:W32/Injecter.GX
Alias:Trojan-Downloader.Win32.Injecter.gx
Size:21504
Type:Trojan-Downloader
Category:Malware
Platform:W32
Date of Discovery:February 27, 2008
Radar

Summary
Injecter.GX is a trojan-downloader.

A trojan-downloader is usually a standalone program that attempts to silently download and run other files from remote Web and FTP sites.
Back to the Top

Disinfection

Trojan-Downloader
Back to the Top

Detailed Description
Injecter.GX attempts to downloads files from:

  • http://88.255.[Removed]/e521.gif
  • http://88.255.[Removed]/e514.gif
  • http://88.255.[Removed]/e509.gif

It drops the downloaded files to the following location:

  • %windir%\system32\cdmk.dll
  • %temp%\dm4.exe

Injecter.GX also drops a DLL file from itself to the default temp folder which uses a name of tmp2.tmp. The file appears to be the downloader component itself.

The malware also creates a temp file called _vdmstmsnd_.dat.

It also attempts to send out information by performing the following command:

  • HTTP GET http://85.255.[Removed]/count.php?u=346&e=521&r=1

It searches for a process named teatimer.exe. It will attempt to terminate the process if discovered.

The malware uses a mutex named STDP117.

To ensure that the malware starts with Windows, it copies the malware file to:

  • C:\Documents and Settings\All Users\Start Menu
    \Programs\Startup\msupd[number].exe

Note: [number] is random.

The malware creates the following registry entries:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID
    UID = 6727150054040000de564349
    (Seems to be some kind of hash of the victim's computer.)
    UID2 = trojan.exe
    (Filename of the malware on execution.)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PUID\set
    thPCvzSYyScLKSRaW3l3jquJRD382MNqz3P4yEfx = "mult"
    thPCvzSYyScLKSRaW3l3jquJRD382MNqzHb4yEfx = "mult"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    \Session Manager PendingFileRenameOperations ="
    \??\C:\Samples\trojan.exe.1
    \??\C:\Documents and Settings\All Users\Start Menu\
    Programs\Startup\msupd43616.exe"
Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2008-02-27_01.
Back to the Top



F-Secure Corporation

Last Modified: February 28, 2008