What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Dldr.Small.aafh
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum6B50DC99F2CA5E90EF6ECEF9A25C6157
Static fileyes
Filesize139,776 Bytes
Alias names
(also known as)
SophosTroj/FakeAle-EF
McAfeeGeneric FakeAlert.a
CA ETrustWin32/Bugnraw.CC
Side effects
  • Downloads a malicious file
  • Drops a file
  • Drops malicious files
  • Registry modification
PropagationNo own spreading routine

Description:

Files

It copies itself to the following location:
• %SYSDIR%\lphc1boj0e39c.exe



The following files are created:

– Non malicious file:
• %SYSDIR%\phc1boj0e39c.bmp

– %SYSDIR%\blphc1boj0e39c.scr Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: JOKE/BSOD.C

– %TEMPDIR%\.tt1.tmp.vbs Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Script.Agent.1002




It tries to download a file:

– The location is the following:
• http://antivirusxp-08.com/images/1190**********.gif
It is saved on the local hard drive under: %TEMPDIR%\.tt4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.
Registry

One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• lphc1boj0e39c="%SYSDIR%\lphc1boj0e39c.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Software Notifier]
• InstallationID="9528fec3-f3c9-4201-91c6-ff859a0641b2"

– [HKCU\Software\Sysinternals\Bluescreen Screen Saver]
• EulaAccepted=dword:00000001



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• NoDispBackgroundPage=dword:00000001
• NoDispScrSavPage=dword:00000001

– [HKCU\Control Panel\Colors]
New value:
• Background="0 0 255"

– [HKCU\Control Panel\Desktop]
New value:
• WallpaperStyle="0"
TileWallpaper="0"
Wallpaper="%SYSDIR%\phc1boj0e39c.bmp"
OriginalWallpaper="%SYSDIR%\phc1boj0e39c.bmp"
SCRNSAVE.EXE="%SYSDIR%\blphc1boj0e39c.scr"
ScreenSaveActive="1"
ScreenSaveTimeOut="600"

File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.