Virus

Analysis

Specifics
This Trojan is a package installer for a remote shell on the target system. This Trojan contains components which are extracted at run time. The main Trojan is actually a self-extracting .RAR archive file. If the Trojan is run, it could terminate some services, and also add two accounts to the system.

The Trojan will create output files which contain sensitive configuration details. These are the output files created -

c:\png00002.jpg
undefinedWindowsundefined\inf\Layout10.pnf
undefinedWindowsundefined\inf\Layout11.pnf
undefinedWindowsundefined\System32\msmgmt.dll

The files 'msmgmt.dll' and 'png00002.jpg' may contain the following types of data -

* environment variables in memory
* listing of currently running services
* directory listing of root files, program files, and their ownership details
* other log file entries indicating if commands initiated at the MS-DOS level were successful or not

New Shares Created
The Trojan may add two additional accounts to the system by these names -

RPC$
USR$

The system registry is updated to reflect how these shares are used -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares\
"RPC$" = "CSCFlags=0 MaxUses=429496795 Path=c:\ Permissions=63
Remark=Vyhrazeno systemu Windows Type=0"
"USR$" = "CSCFlags=0 MaxUses=429496795 Path=undefineduser profile folderundefined
Permissions=63 Remark=Vychozi sdileni uzivatele Type=0

Remote Shell Activation
The Trojan may install a remote shell to listen on TCP port 53. The VBScript component 'odbcjet.vbs' contains instructions to stop services matching these names, using the "net stop" instruction -

SharedAccess
alg.exe
sscansvc.exe

Next, 'odbcjet.vbs' will instruct the compromised host to initiate a created and dropped program file named 'schvost.exe' using these parameters -

schvost.exe -L -p 53 -e cmd.exe

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

ID	3954
Released	Aug 04, 2004
Description Updated	Oct 18, 2004
Platform Profile	Win32 file format / PE 32 bit

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

W32/Darce.A

Analysis

Recommended Action

Telemetry

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

Virus

W32/Darce.A

Analysis

Recommended Action

Telemetry

Threat Intelligence
Center