What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Dldr.Small.yko
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum43FDEE571037AE91EFF094339F374B11
Static fileno
Filesize110,080 Bytes
Alias names
(also known as)
SophosMal/EncPk-EP
McAfeeDownloader-ASH.gen.b
CA ETrustWin32/Bugnraw.AO
Side effects
  • Downloads a malicious file
  • Drops a file
  • Drops malicious files
  • Registry modification
PropagationNo own spreading routine

Description:

Files

It copies itself to the following location:
• %SYSDIR%\lphc1boj0e39c.exe



The following files are created:

– Non malicious file:
• %SYSDIR%\phc1boj0e39c.bmp

– %SYSDIR%\blphc1boj0e39c.scr Furthermore it gets executed after it was fully created. Detected as: JOKE/BSOD.B

– %TEMPDIR%\.tt1.tmp.vbs Furthermore it gets executed after it was fully created. Detected as: Script.Agent.1002




It tries to download a file:

– The location is the following:
• http://avxp2008.com/images/**********.gif
It is saved on the local hard drive under: %TEMPDIR%\.tt4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.FraudTool.XPAntivirus.MP

Registry

One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• lphc1boj0e39c="%SYSDIR%\lphc1boj0e39c.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Software Notifier]
• InstallationID="3503dd7f-a0fc-4a9b-9fb3-3256a6dc78ce"

– [HKCU\Software\Sysinternals\Bluescreen Screen Saver]
• EulaAccepted=dword:00000001



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• NoDispBackgroundPage=dword:00000001
• NoDispScrSavPage=dword:00000001

– [HKCU\Control Panel\Colors]
New value:
• Background="0 0 255"

– [HKCU\Control Panel\Desktop]
New value:
• WallpaperStyle="0"
TileWallpaper="0"
Wallpaper="%SYSDIR%\phc1boj0e39c.bmp"
OriginalWallpaper="%SYSDIR%\phc1boj0e39c.bmp"
SCRNSAVE.EXE="%SYSDIR%\blphc1boj0e39c.scr"
ScreenSaveActive="1"
ScreenSaveTimeOut="600"

File details

Programming language:
 The malware program was written in MS Visual C++.

Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.