Nowadays it’s very common for threats to use rootkit techniques to hide malicious files on computer hard drive, but it’s not so common to hide actual payload in the Windows Registry and use malicious file as only a loader. The following sample has evolved a bit since we first saw this kind of thing but much of its behavior remains unchanged.
Malicious Registry data
Upon execution our sample behaves as follows:
1) Two new files are dropped in %system32% folder:
- %system32%\mshlps.dll -> used as loaders of malicious code from registry
2) Disables Windows system restore feature
3) Sets entry in registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls “AppSecDll” = “C:\WINDOWS\system32\mshlps.dll”
4) Sets entry in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows “AppInit_DLLs” = “%system32%\kbdsock.dll“. This entry ensures that malicious code is loaded into every newly created process
5) Finally two new registry keys are created containing executable binary data with encrypted malicious code:
- First key is in the User’s hive: [HKEY_CURRENT_USER\Software\TRQ00YJ7X0]
- Code starting with E800000000 tells us that this is an executable code which tries to gets its current address in memory. Followed by a simple xor loop we get decrypted body of loaded code.
- The malware hooks NT functions (NtCreateKey , NtOpenKey , NtQueryValueKey , NtDeleteValueKey , NtSetValueKey, NtDeleteKey , NtQueryDirectoryFile) to prevent to view, modify or delete registry keys with malicious code, dropped DLLs and downloaded config.data file. Older samples had these keys accessible via regedit.exe and could be deleted manually. However, laziness or insufficient knowledge causes that also folders named co, conf, confi and config will be hidden. The string “config” is used by many applications for folders and files which means that there is a higher chance that user will notice suspicious behavior when his application’s config file/folder is missing.
- The second key with malicious code stored is in the root’s key: [HKEY_CLASSES_ROOT\4I0P0BQ00]
This malware can protect itself from removal using the following procedures:
- Restores first registry entry in case its deleted
- Restores “AppSecDll” and “AppInit_DLLs” registry keys in case of modification
- Re-spawn of dropped components “kbdsock.dll” and “mshlps.dll”
Decrypted payload contains strings that can indicate us what it actually does:
This malware connects to a mynewworldorder.cn domain – it’s C&C server – to “call home” and download additional malware. It also redirects search engine results from Google, Yahoo and Bing to other malicious remote resources.
Today’s file hash is 0C4900DB1D274BF5CC3474F2D6FAF215 and is detected by AVG as variant of Trojan horse Dropper.Small. The dropped components are flagged as variants of Trojan horse Generic.
AVG Viruslab Research Group