How a trojan installs

I've often wondered, but have never been able to test and watch how a trojan installs until today, when I had the opportunity to run a file that unpacked a trojan. It was on a freeware site I was told about, that had a reputation for bundling adware and other stuff with the freeware. At the time, I did not know what was going to happen.

First, I downloaded the file. I had to turn off my execution protection (Anti-Executable) so that the file could download.

Then, I re-enabled the execution protection, executed the file, and AE blocked the unpacking of another file, msmsg.exe.

Searching for msmsg.exe I discovered the reference to Trojan.Zlob.B.

Then I disabled execution protection and let the file complete its installation, and it installed msmsgs.exe:
----------------------------
C:\WINNT\system32\msmsgs.exe
----------------------------

and immediately my firewall alerted/blocked an outbound attempt:
-----------------------------------------------------------------
25/Aug/2005 13:17:52 Rule: Deny Windows Explorer blocked; Out TCP;
localhost:1035->xx.xxx.xxx.xx:80; Owner: C:\WINNT\EXPLORER.EXE
-----------------------------------------------------------------


I found these Registry Entries:
-----------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RegSvr32/C:\WINNT\system32\msmsgs.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"notepad.exe"="msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe, msmsgs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"uuid"="7dc713f1-ec56-4750-993d-42b05e117d64"
-----------------------------------------------------------------

This behavior is described here:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.b.html

Recently, this Trojan.Zlob.B was referenced at

https://www.wilderssecurity.com/showthread.php?t=94506

https://www.wilderssecurity.com/showthread.php?t=86367


Another reference to this and adware trojans pointed out that the constant slight changing of the code allows them to be undetectable until the detection program database is updated. The cat and mouse game.

How does the user respond to an alert like I received?

I would always be suspicious that a program would unpack another .exe file

But, not always easy to make those decisions.

At least, the trojan would be blocked from loading until the user could decide whether or not to permit the installation to complete.



-rich
________________
~~Be ALERT!!! ~~

 

I am aware of the website that trojan is found at. Believe me it looks like a legitimate website.

The website makes you think it is a legitimate codec with wording like this:

"Program x" is a multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. "program x" will highly increase quality of video files you play."

There are some websites that have "must see" videos on them that refers to the website where this trojan is found. Usually the video website will say something to the effect "best viewed with these codecs" and links to the site where the trojan is found.

The reason why this website is so dangerous is because it really looks legit to the average user. This website might even fool people that trust too much in their AV. AV's like KAV and NOD only sometimes detects the trojan on the website. Almost as soon as they add detection....the website makes the trojan undetectable again.

This website might fool people that trust too much in their HIPS. The application looks legit. The PG alert pops-up....you click through because you want to view the video using these new codecs....U know how we on Wilders expirement. We want better performance and this site makes all sorts of claims of performance improvement.....next thing you know malware on the computer.

The question now is....Did the HIPS fail or the operator fail?





Starrob

 

Hey Rich

I was just wondering how you found those file and registry entries ? (edit : Sorry, reread, I see how you found the exe, so just curious about the reg entries)

It got me to thinking, Online Armor tracks installation, and it shouldn't be too hard to produce a simple report stating :

1. if a program installed anything outside it's installation directory
2. registry changes, with autorun entries highlighted

I put a post in the 'Has anyone heard of Online Armor' thread in relation to this thought, but was still curious how you found them all (manually, or by other means, eg Winpatrol, or some registry program).

 

perhaps you could give us a clue as to which freeware site and which program, i frequent a number of freeware sites and am always downloading bits and pieces of AV?

if this is a rogue freeware site it should be exposed and shutdown.

 

When the alert box pops up blocking the unpacking of the .exe, it shows the filename and the directory where it's attempting to install.

I searched the Registry for that filename (msmsgs.exe), The 'uuid' entry I found later after reading about the trojan on the Symantec site.


-rich
________________
~~Be ALERT!!! ~~

 

As you know, Wilders does not permit posting links to sites with malware. You can understand why - if a user's AV/AT didn't catch it, and if there weren't other safeguards in place, it could be messy.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

some of the most common places you will find a trojan!!

system.ini [boot] ,msconfig shell=explorer.exe

win.ini [windows] ,msconfig run=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="