Virus

W32/Socks4!tr

Analysis

  • Trojan is 32bit with a compressed file size of 4,128 bytes
  • Trojan may have been introduced to the infected system via a web page or an HTML format email message - in one case, the Trojan is installed by viewing a web page which contains ActiveX code and an object tag -

    <object data=(infectious web page)>

  • When the infectious web page is loaded, it extracts code into an executable file named "llass.exe" to the desktop and runs that file (the Trojan)

  • When Trojan is run, it may launch Internet Explorer in a hidden window and connect the infected machine with the preconfigured IP address 66.139.77.145 - the communication is made through TCP port 80

  • The Trojan then opens a random port number and awaits instructions from a hacker or group of hackers

  • In order for the hacker(s) to know what port the Trojan is listening on, the Trojan connects with the IP 66.139.77.145 and sends a request for a page and passes the port number as a variable as in the following example -
    /##.php?s=1239
    where "##" refers to the actual name used and "s=1239" refers to the Trojan using port 1239

  • The Trojan will modify the registry to load at Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "lar"=(path of Desktop)\llass.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    "lar"=(path of Desktop)\llass.exe

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    "SLP" = D7, 04, 00, 00, 00, 00, 00, 00

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
    "SLP" = D7, 04, 00, 00, 00, 00, 00, 00

Recommended Action

  • Block outbound (INT -> EXT) access to the IP address 66.139.77.145