W32/Darce.A
Analysis
Specifics
This Trojan is a package installer for a remote shell
on the target system. This Trojan contains components
which are extracted at run time. The main Trojan is
actually a self-extracting .RAR archive file. If the
Trojan is run, it could terminate some services, and
also add two accounts to the system.
The Trojan will create output files which contain sensitive configuration details. These are the output files created -
c:\png00002.jpg
undefinedWindowsundefined\inf\Layout10.pnf
undefinedWindowsundefined\inf\Layout11.pnf
undefinedWindowsundefined\System32\msmgmt.dll
The files 'msmgmt.dll' and 'png00002.jpg' may contain the following types of data -
* environment variables in memory
* listing of currently running services
* directory listing of root files, program files, and
their ownership details
* other log file entries indicating if commands initiated
at the MS-DOS level were successful or not
New Shares Created
The Trojan may add two additional accounts to the system
by these names -
RPC$
USR$
The system registry is updated to reflect how these shares are used -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares\
"RPC$" = "CSCFlags=0 MaxUses=429496795
Path=c:\ Permissions=63
Remark=Vyhrazeno systemu Windows Type=0"
"USR$" = "CSCFlags=0 MaxUses=429496795
Path=undefineduser profile folderundefined
Permissions=63 Remark=Vychozi sdileni uzivatele Type=0
Remote Shell Activation
The Trojan may install a remote shell to listen on TCP
port 53. The VBScript component 'odbcjet.vbs' contains
instructions to stop services matching these names,
using the "net stop" instruction -
SharedAccess
alg.exe
sscansvc.exe
Next, 'odbcjet.vbs' will instruct the compromised host to initiate a created and dropped program file named 'schvost.exe' using these parameters -
schvost.exe -L -p 53 -e cmd.exe
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option