Virus

W32/Sectho.C!tr

Analysis


Specifics
Trojan downloads adware components from numerous web addresses including these -

146.82.109.210
199.221.131.110
206.252.133.205
209.202.248.103
216.127.90.68
216.177.81.230
69.28.208.77
69.28.210.150
69.90.32.141
81.52.249.158
www.2nd-thought.com

The Sectho.C Trojan connects with multiple web addresses in an attempt to deliver a cocktail of adware components. Many of these components when run will adjust the registry to load at next Windows startup.


Loading At Windows Startup
If the Trojan is run, it may install itself to the Windows folder and modify the registry to auto-run at next Windows startup as in this example -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"stcloader" = C:\WINNT\System32\stcloader.exe

The file "stcloader.exe" runs as a process in memory. It persistently contacts various websites and downloads executable files - these executable files deliver ad content to the compromised system. Below is a list of possible auto-run entries created as a result of downloading and running adware components of this Trojan -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TB_setup" = tb_setup.exe /dcheck
"VCJQXELSZ" = C:\WINNT\VCJQXELSZ.exe
"version" = C:\WINNT\System32\manage.exe
"WinEssential" = C:\WINNT\System32\keyword.exe
"ClrSchLoader" = C:\Program Files\ClearSearch\Loader.exe
"msbb" = C:\Program Files\STC\msbb.exe
"RunDLL" = rundll32.exe "C:\WINNT\System32\bridge.dll",Load
"SAHAgent" = C:\WINNT\System32\SahAgent.exe
"slmss" = C:\Program Files\Common Files\slmss\slmss.exe
"SQConfigChecker" = C:\Program Files\Sqwire\cc.exe
"SQUpdatesChecker" = C:\Program Files\Sqwire\uc.exe

Web Delivery Of Adware Components
The Trojan first downloads an adware component from 2nd-thought.com as "stcloader.exe" and executes it. This adware application then begins a steady process of connecting various websites and downloading, and running, executable files. This is done without the user's consent, with the exception of one dialogue box asking if the user would like to install something from "The Good Download Corp.".

The Trojan uses a simple GET request to retrieve binary files stored on web servers related to pop-up ad delivery. Once the binary is retrieved, it is then executed, which in many cases installs the downloaded component as an Internet "browser helper" object.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add these web addresses to the URL block section -

    146.82.109.210
    199.221.131.110
    206.252.133.205
    209.202.248.103
    216.127.90.68
    216.177.81.230
    69.28.208.77
    69.28.210.150
    69.90.32.141
    81.52.249.158
    www.2nd-thought.com