Security News

Trojan targeting Vietnamese Speakers (Apr 2, 2010)

By

SonicWALL UTM Research team observed reports of a new Trojan targeting Vietnamese speakers reported by Google here. Authors of this malware repackaged the binary together with Vietnamese keyboard driver VPSKeys. VPSKeys is a legitimate application that provides Vietnamese keyboard support to Windows users.

Users who downloaded this keyboard driver may not be aware that it is a tampered version since both the VPSKeys installer and the malicious binary looks the same except for the file size discrepancy.

screenshot

Screenshot of VPSKeys
screenshot

Installation

  • Copies and runs itself at %User%Application Data folder.

Files Installed

  • %User%Application DataJavajre6binjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %User%Application DataJavajre6binzf32.dll
  • %User%Application DataVpskeys43.exe – [Detected as GAV: VulcanBot (Trojan)]

  • Program FilesAdobeAdobeUpdateManager.exe – [Detected as GAV: VBbot.V (Trojan)]]
  • Program FilesAdobezf32.dll
  • Program FilesMicrosoft OfficeOffice11OSA.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows DefenderMPClient.exe – [Detected as GAV: Dosvine_2 (Trojan) ]
  • Program FilesWindows DefenderMPSvc.exe – [Detected as GAV: Dosvine_3 (Trojan) ]
  • Program FilesJavajre6binjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesJavajre6binzf32.dll
  • Program FilesWindows NTWindows Updatewuauclt.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows NTWindows Updatezf32.dll

  • %Windir%system32mscommon.inf
  • %Windir%system32msconfig32.sys
  • %Windir%system32zf32.dll
  • %Windir%system32SetupAdobeUpdateManager.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32SetupMPClient.exe – [Detected as GAV: Dosvine_2 (Trojan) ]
  • %Windir%system32SetupMPSvc.exe – [Detected as GAV: Dosvine_3 (Trojan) ]
  • %Windir%system32SetupOSA.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupwuauclt.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupzf32.dll

Registry Changes

    Added Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Data: “C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe”

    • Added to run the binary as a service

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesjucheck
    Value: ImagePath
    Data: C:Program FilesJavajre6binjucheck.exe

    • Added to run the binary on every Windows startup

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: “C:Program FilesAdobeAdobeUpdateManager.exe”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: “C:Program FilesMicrosoft OfficeOffice11OSA.exe”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: “C:Program FilesWindows NTWindows Updatewuauclt.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: “C:Program FilesAdobeAdobeUpdateManager.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: “C:Program FilesMicrosoft OfficeOffice11OSA.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: “C:Program FilesWindows NTWindows Updatewuauclt.exe”

    Added to run the binary on Windows Safemode

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaljucheck
    Value: @
    Data: “Service”
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkjucheck
    Value: @
    Data: “Service”

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Original Data: “C:WINDOWSSystem32userinit.exe,
    Modified Data: “C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe”

Process Created

  • jucheck.exe
  • AdobeUpdateManager.exe
  • MPsvc.exe
  • wuauclt.exe
  • OSA.exe

Network Activity

It tries to connect to the following domain:

  • adobe.ath.cx
  • blogspot.blogsite.org
  • google.homeunix.com
  • tyuqwer.dyndns.org
  • update-adobe.com
  • voanews.ath.cx
  • ymail.ath.cx

This malware is also known as W32/Vulcanbot [Mcafee], Win32/VBbot.V [Microsoft], and VBbot.A [Eset]

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Vulcanbot (Trojan), GAV: Dosvine (Trojan), GAV: Dosvine_2 (Trojan), GAV: Dosvine_3 (Trojan) and GAV: VBBot.V (Trojan) signatures.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Honeywell EBI ActiveX Control Vulnerability (Apr 19, 2013)
BBC Georgia's President Trojan (Aug 15, 2008)
Cerber ransom payment doubles (Nov 23, 2016)
New File Wiper Trojan targeting Iran (Dec 21, 2012)
WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous
Vulnerability on Adobe Flash Player, Exploit in the Wild (Sep 23, 2016)
Cyber Security News & Trends – 04-26-19
Fake Credit Card and IRS notices (June 30, 2011)