A Trojan that downloads and installs malicious and unwanted applications. The Trojan is installed by the malware program Win32.HLLW.Autoruner2.26762.
If launched with the key –tst, the Trojan creates a mutex that coincides with a file name of its process and goes to infinite sleep mode.
If launched with the key –n79g, the environment is not scanned.
If launched without additional parameters, the Trojan scans the virtual environment and debugging tools. Names of the running processes are checked for the presence of the following matches:
irise.exe IrisSvc.exe wireshark.exe ZxSniffer.exe Regshot.exe ollydbg.exe PEBrowseDbg.exe Syser.exe VBoxService.exe VBoxTray.exe SandboxieRpcSs.exe SandboxieDcomLaunch.exe windbg.exe ollydbg.exe vmtools.exe
The Windows system registry keys are checked:
HKCU\Software\CommView HKLM\SYSTEM\CurrentControlSet\Services\IRIS5 HKCU\Software\eEye Digital Security HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark hklm\SOFTWARE\ZxSniffer HKCU\Software\Win Sniffer HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32 HKCU\Software\Syser Soft hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie HKCU\Software\Classes\Folder\shell\sandbox HKCU\Software\Classes\*\shell\sandbox
If more than three matches are found, the detection is considered successful.
The Trojan checks the system registry branch HKLM\Software\Microsoft\Windows NT\CurrentVersion for ProductID matching the following values:
76487-337-8429955-22614 76487-640-1457236-23837 55274-640-2673064-23950 76487-644-3177037-23510
Meanwhile, the malware program checks the content of the folder %PROGRAMFILES% that does not have more than ten nested folders.
The computer name and a user name are also checked: the name of the computer must not coincide with the value “Sandbox”, and the user name—with the value “CurrentUser”.
Using the function GetModuleFileName, the Trojan checks a full path to a file containing a module which belongs to the current process. The obtained value must not coincide with “C:\file.exe”, “c:\self.exe”, “c:\t.exe”, and “c:\myapp.exe”.
The Trojan checks the presence of the running processes perl.exe or python.exe, and a name of the BIOS manufacturer:
HKLM\HARDWARE\DESCRIPTION\System\BIOS, SystemManufacturer "vmware", "virtual", "vmbox", "oracle"
The Trojan checks the presence of virtualization tools using the instructions SIDT, SGDT, SLDT, SMSW, CPUID and tries to find the window named “OLLYDBG”.
If the detection is successful, the Trojan runs the Explore by using the function ShellExecuteW and terminates itself.
If the Trojan does not find anything suspicious, it saves the file 1.zip on the disk.