9348.cn Trojan.

The 9348.cn Trojan modifies the main page of Internet Explorer to www.9348.cn/?20541. It changes your main page back to 9394.cn instantly everytime I try to fix the problem.
It also causes a new pop-up, another IE window, everytime I visit other website and causes high CPU usage.
Bitdefender, TrendMicro Officescan, Spybot and SuperAntiSpyware fail to detect it.
While exploring the system with Sysinternal’s Process Explorer , i found that a suspicious dll hooked to Windows Explorer (abTV.dll).Below is the result:
File abTV.dll received on 2010.03.26 00:58:03 (UTC)
Antivirus Version Last Update Result</TD< tr>
a-squared 4.5.0.50 2010.03.25 Trojan.Win32.Jkfg!IK</TD< tr>
AhnLab-V3 5.0.0.2 2010.03.25 -</TD< tr>
AntiVir 7.10.5.225 2010.03.25 TR/Crypt.XPACK.Gen</TD< tr>
Antiy-AVL 2.0.3.7 2010.03.24 -</TD< tr>
Authentium 5.2.0.5 2010.03.26 -</TD< tr>
Avast 4.8.1351.0 2010.03.25 Win32:Caxnet</TD< tr>
Avast5 5.0.332.0 2010.03.25 Win32:Caxnet</TD< tr>
AVG 9.0.0.787 2010.03.26 Generic17.RTJ</TD< tr>
BitDefender 7.2 2010.03.26 Backdoor.Koutodoor.A</TD< tr>
CAT-QuickHeal 10.00 2010.03.25 -</TD< tr>
ClamAV 0.96.0.0-git 2010.03.26 -</TD< tr>
Comodo 4386 2010.03.26 TrojWare.Win32.Zybr.B</TD< tr>
DrWeb 5.0.1.12222 2010.03.26 -</TD< tr>
eSafe 7.0.17.0 2010.03.25 -</TD< tr>
eTrust-Vet 35.2.7389 2010.03.25 -</TD< tr>
F-Prot 4.5.1.85 2010.03.25 -</TD< tr>
F-Secure 9.0.15370.0 2010.03.25 Backdoor.Koutodoor.A</TD< tr>
Fortinet 4.0.14.0 2010.03.24 -</TD< tr>
GData 19 2010.03.26 Backdoor.Koutodoor.A</TD< tr>
Ikarus T3.1.1.80.0 2010.03.25 Trojan.Win32.Jkfg</TD< tr>
Jiangmin 13.0.900 2010.03.25 -</TD< tr>
K7AntiVirus 7.10.1004 2010.03.22 -</TD< tr>
Kaspersky 7.0.0.125 2010.03.25 Trojan.Win32.Jkfg.cv</TD< tr>
McAfee 5931 2010.03.25 -</TD< tr>
McAfee+Artemis 5931 2010.03.25 -</TD< tr>
McAfee-GW-Edition 6.8.5 2010.03.25 Trojan.Crypt.XPACK.Gen</TD< tr>
Microsoft 1.5605 2010.03.25 -</TD< tr>
NOD32 4975 2010.03.25 Win32/Koutodoor.FY</TD< tr>
Norman 6.04.10 2010.03.25 -</TD< tr>
nProtect 2009.1.8.0 2010.03.25 Backdoor.Koutodoor.A</TD< tr>
Panda 10.0.2.2 2010.03.25 Suspicious file</TD< tr>
PCTools 7.0.3.5 2010.03.25 -</TD< tr>
Prevx 3.0 2010.03.26 High Risk Cloaked Malware</TD< tr>
Rising 22.40.03.04 2010.03.25 -</TD< tr>
Sophos 4.52.0 2010.03.26 -</TD< tr>
Sunbelt 6090 2010.03.26 -</TD< tr>
Symantec 20091.2.0.41 2010.03.26 Suspicious.Insight</TD< tr>
TheHacker 6.5.2.0.245 2010.03.26 -</TD< tr>
TrendMicro 9.120.0.1004 2010.03.25 -</TD< tr>
VBA32 3.12.12.2 2010.03.25 -</TD< tr>
ViRobot 2010.3.25.2244 2010.03.25 -</TD< tr>
VirusBuster 5.0.27.0 2010.03.25 -</TD< tr>
Additional information
File size: 49152 bytes
MD5…: bc8969b849b350c0a2a2075b24576452
SHA1..: 766f8a501fec33453f2ee7e893333bb4d4f115d7
SHA256: 9c394ae4c540f67f00957f81d8f1fe05dfc29329d4dffafd0829bcf55f5b4e58
ssdeep: 768:Q3kVPvGLZ/w3Zrsalc9KDS5/9rPIGcQR+dH02DgEKSLKxSjbfohpWM1jh:yq
vEuePOSHrACM7rjQpth
PEiD..: –
PEInfo: PE Structure information( base data )
entrypointaddress.: 0x7127
timedatestamp…..: 0x4ba61744 (Sun Mar 21 12:55:32 2010)
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x61d0 0x7000 6.26 d9472e6d2e30bde4f3c40c702df48132
.rdata 0x8000 0xb04 0x1000 4.08 86f71f775a9b6fa1ed781c0da8ac83c6
.data 0x9000 0xe74 0x1000 4.92 be68332f90ed264487e449cb7055eb0d
.rsrc 0xa000 0x650 0x1000 1.51 e37e2c69cecf58b117993d02c143d309
.reloc 0xb000 0x612 0x1000 2.97 603e2b96e2c9b9de544d3cd4f67303e4

( 7 imports )
> KERNEL32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InterlockedDecrement, HeapAlloc, GetSystemInfo, GetVersionExA, HeapCreate, HeapDestroy, lstrlenW, MultiByteToWideChar, lstrlenA, GetShortPathNameA, GetModuleHandleA, GetWindowsDirectoryA, InitializeCriticalSection, WritePrivateProfileStringA, GetCurrentProcessId, Process32Next, Process32First, GetLastError, CreateEventA, DeleteFileA, Sleep, CreateThread, WideCharToMultiByte, GetCommandLineW, DisableThreadLibraryCalls, InterlockedIncrement, GetProcAddress, GetModuleFileNameA, LoadLibraryA, CloseHandle, GetSystemDirectoryA, GetLocalTime
> USER32.dll: CreateWindowExA, ShowWindow, IsWindow, FindWindowExA, RegisterClassExA, SendMessageA, KillTimer, SetTimer, PostMessageA, DefWindowProcA, GetMessageA, TranslateMessage, DispatchMessageA, CallNextHookEx, SetWindowTextA
> ADVAPI32.dll: RegSetValueExA, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
> SHELL32.dll: CommandLineToArgvW
> ole32.dll: CoCreateInstance
> OLEAUT32.dll: -, -, -, -, –
> MSVCRT.dll: rand, strlen, _strlwr, strcmp, _access, strchr, fopen, free, _initterm, malloc, _adjust_fdiv, _stricmp, strstr, fwrite, fclose, memcmp, memcpy, __2@YAPAXI@Z, _purecall, strrchr, memset, __3@YAXPAX@Z, sprintf, strcat, strcpy

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

RDS…: NSRL Reference Data Set
pdfid.: –
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher….: n/a
copyright….: n/a
product……: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…..: n/a
signers……: –
signing date.: –
verified…..: Unsigned
<a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=5F34E0C800B32C1AC02B00560DC99D00711B2012&#8242; target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=5F34E0C800B32C1AC02B00560DC99D00711B2012</a&gt;

I killed the Windows Explorer process and renamed the abTV.dll to abTV.dll.bak to disable it.

Further look into the system with Sysinternal’s Autoruns, I found that there is a weird entry under HKLM\System\CurrentControlSet\Services.

The entry was named qdsbbu trying to load a file c:\windows\system32\drivers\fhnqi.sys

I couldn’t find anything about this entry on the Internet, so I try to disable it. Everytime I disable it, it will enable itself instantly.

To remove this entry, I close it’s handle through Process Explorer and delete it’s entry.

Below is a analysis of the file with VirusTotal:

File fhnqi.sys received on 2010.03.25 06:48:11 (UTC)
Antivirus Version Last Update Result</TD< tr>
a-squared 4.5.0.50 2010.03.25 -</TD< tr>
AhnLab-V3 5.0.0.2 2010.03.25 -</TD< tr>
AntiVir 8.2.1.196 2010.03.24 TR/Rootkit.Gen2</TD< tr>
Antiy-AVL 2.0.3.7 2010.03.24 -</TD< tr>
Authentium 5.2.0.5 2010.03.25 -</TD< tr>
Avast 4.8.1351.0 2010.03.24 Win32:Caxnet</TD< tr>
Avast5 5.0.332.0 2010.03.24 Win32:Caxnet</TD< tr>
AVG 9.0.0.787 2010.03.25 Win32/Cryptor</TD< tr>
BitDefender 7.2 2010.03.25 -</TD< tr>
CAT-QuickHeal 10.00 2010.03.25 -</TD< tr>
ClamAV 0.96.0.0-git 2010.03.25 -</TD< tr>
Comodo 4377 2010.03.25 TrojWare.Win32.Zybr.B</TD< tr>
DrWeb 5.0.1.12222 2010.03.25 -</TD< tr>
eSafe 7.0.17.0 2010.03.24 -</TD< tr>
eTrust-Vet 35.2.7387 2010.03.25 -</TD< tr>
F-Prot 4.5.1.85 2010.03.24 -</TD< tr>
F-Secure 9.0.15370.0 2010.03.25 -</TD< tr>
Fortinet 4.0.14.0 2010.03.24 -</TD< tr>
GData 19 2010.03.25 Win32:Caxnet </TD< tr>
Ikarus T3.1.1.80.0 2010.03.25 -</TD< tr>
Jiangmin 13.0.900 2010.03.25 Heur:Trojan/JunkCode</TD< tr>
K7AntiVirus 7.10.1004 2010.03.22 -</TD< tr>
Kaspersky 7.0.0.125 2010.03.25 -</TD< tr>
McAfee 5930 2010.03.24 BackDoor-DTL.b</TD< tr>
McAfee+Artemis 5930 2010.03.24 BackDoor-DTL.b</TD< tr>
McAfee-GW-Edition 6.8.5 2010.03.25 Trojan.Rootkit.Gen2</TD< tr>
Microsoft 1.5605 2010.03.25 VirTool:WinNT/Koutodoor.A</TD< tr>
NOD32 4972 2010.03.24 Win32/Koutodoor.EP</TD< tr>
Norman 6.04.10 2010.03.24 -</TD< tr>
nProtect 2009.1.8.0 2010.03.24 -</TD< tr>
Panda 10.0.2.2 2010.03.24 -</TD< tr>
PCTools 7.0.3.5 2010.03.25 -</TD< tr>
Prevx 3.0 2010.03.25 High Risk Cloaked Malware</TD< tr>
Rising 22.40.03.01 2010.03.25 -</TD< tr>
Sophos 4.52.0 2010.03.25 -</TD< tr>
Sunbelt 6075 2010.03.25 -</TD< tr>
Symantec 20091.2.0.41 2010.03.25 Suspicious.Insight</TD< tr>
TheHacker 6.5.2.0.242 2010.03.24 -</TD< tr>
TrendMicro 9.120.0.1004 2010.03.25 -</TD< tr>
VBA32 3.12.12.2 2010.03.24 -</TD< tr>
ViRobot 2010.3.25.2243 2010.03.25 -</TD< tr>
VirusBuster 5.0.27.0 2010.03.24 Rootkit.Koutodoor.Gen.2</TD< tr>
Additional information
File size: 30016 bytes
MD5   : 19e69a9c75bdb6a392a302fa26df666f
SHA1  : ef2f5b495745d2614d317888d1cc46883985c3a2
SHA256: d37256148eab10386020d3de2768758044f390ec3ba8c01e5d07d3988637d7e2
PEInfo: PE Structure information( base data )
entrypointaddress.: 0x6A00
timedatestamp…..: 0x4BA61729 (Sun Mar 21 13:55:05 2010)
machinetype…….: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2A0 0x5486 0x54A0 6.87 a12a663f5740a226fea22d36e5f15623
.data 0x5740 0x12A4 0x12C0 5.40 81bb5701e1470be40f0b6b539c2a4472
INIT 0x6A00 0x340 0x340 6.10 84ef3c487683660bd322fe1bb4629782
.rsrc 0x6D40 0x338 0x340 3.10 aea3e54e32d83092c4a00aa44a8eca87
.reloc 0x7080 0x4A6 0x4C0 6.43 4baacd91867f32207e59b5cc1af13beb

( 1 imports )

> ntoskrnl.exe: wcslen, wcscat, wcscpy, _strnicmp, swprintf, RtlInitUnicodeString, ExFreePool, _snprintf, ExAllocatePoolWithTag, ZwClose, ZwOpenKey, MmGetSystemRoutineAddress, strncmp, strncpy, _stricmp, RtlCopyUnicodeString, ObfDereferenceObject, _wcsnicmp, RtlAnsiStringToUnicodeString

( 0 exports )

TrID  : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 768:gLFH6iGsm0J2m93FtuvC73kPSffLXqNQS:gLZ6Xsm0Am1yK7UKffLXqNQS
sigcheck: publisher….: Microsoft Corporation
copyright….: Copyright 2009
product……:
description..:
original name:
internal name:
file version.: 1, 0, 0, 1
comments…..: n/a
signers……: –
signing date.: –
verified…..: Unsigned
Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=F288E54E4024036175610067E9612E00A71FFDCC
PEiD  : –
RDS   : NSRL Reference Data Set

After all the above, I reinstall the Internet Explorer and the symptoms are gone.

More information on the Trojan can be found at http://www.eset.eu/encyclopaedia/win32-koutodoor-en-trojan-zybr-aej-multidropper-tm

At the end of this post, I had submitted the suspicious files I found to TrendMicro. TrendMicro Officescan can now detect and remove the infected files.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s