1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Trojan-Dropper:W32/Ambler.D

Trojan-Dropper:W32/Ambler.D

Name : Trojan-Dropper:W32/Ambler.D
Detection Names : Trojan-Dropper.Win32.Agent.absn
Aliases : TrojanDropper:Win32/Ambler.A (Microsoft)
Size:52736
Category:Malware
Type:Trojan-Dropper
Platform:W32

Summary

This type of trojan contains one or more malicious programs, which it will secretly install and execute.

Details


File System Changes
Creates these files:

  • %windir%\system32\edl.dat
  • %windir%\system32\svchstb.dll
  • %windir%\system32\bb1.dat
  • %windir%\system32\rc.dat
  • %windir%\system32\ps1.dat
  • %windir%\system32\alog.txt


Modified these files:

  • %windir%\system32\alog.txt



Registry Modifications
Sets these values:

  • [HKLM\Software\MRSoft]
LN = X]HCX_IOGG
  • [HKLM\Software\MRSoft]
CODIGO = lVUVST' T:...':#'"v:VV%#:%T%'.U"'VR .j
  • [HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}]
@ = Rmn plugin
  • [HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}\TypeLib]
@ = {0017825A-A697-488f-84AA-b7CEE2A02333}
  • [HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}\ProgID]
@ = RITLAB.1
  • [HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}\InprocServer32]
@ = svchstb.dll
  • [HKLM\Software\MRSoft\P]
N = [random_number]
  • [HKCU\Software\Microsoft\Internet Explorer\Main]
Enable Browser Extensions = yes


Creates these keys:

  • HKLM\Software\MRSoft
  • HKLM\Software\MRSoft\P
  • HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}
  • HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}\InprocServer32
  • HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}\ProgID
  • HKLM\Software\Classes\CLSID\{ABADC07C-9990-405a-AA24-2C209B50AE79}\TypeLib
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABADC07C-9990-405a-AA24-2C209B50AE79}
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{ABADC07C-9990-405A-AA24-2C209B50AE79}
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\{ABADC07C-9990-405A-AA24-2C209B50AE79}\iexplore


Additional Details

This malware drops a malicious file that steals credentials from Internet banking websites.

Installation

The following component is injected into the iexplorer.exe process:

  • %windir%\system32\svchstb.dll

The injected code is registered as an Internet Explorer Browser Helper Object (BHO). This injected code is the main component file that allows the malware to steal passwords from Internet Explorer's auto-complete passwords cache.

The malware also attempts to connect to a remote server and download files:

  • http://vcounter.cn/[...]/cd.php?userid=[random_number]