Orz.A Trojan

SonicWALL UTM Research team received reports of a new Trojan spreading in the wild. Once on a system it appears to post potential sensitive information to a remote web server. In the background it installs a copy of the "Super Rabbit" system configuration software. The software is installed without user interaction or consent.

The Trojan makes DNS queries to the following hosts:

• download.youbak.com
• tj.pctutu.net
• srtj.pctutu.net

The Trojan makes a request to download a silent installer for the software "Super Rabbit":

• http://121.15.221.{removed}/soft/113/sr_v9_mini.exe

The Trojan and silent installer make the following modifications to the system:

The Trojan sends potential sensitive information to a remote site using the HTTP POST command:

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Orz.A (Trojan)