Trojan targeting Vietnamese Speakers

April 5, 2010

SonicWALL UTM Research team observed reports of a new Trojan targeting Vietnamese speakers reported by Google here. Authors of this malware repackaged the binary together with Vietnamese keyboard driver VPSKeys. VPSKeys is a legitimate application that provides Vietnamese keyboard support to Windows users.

Users who downloaded this keyboard driver may not be aware that it is a tampered version since both the VPSKeys installer and the malicious binary looks the same except for the file size discrepancy.

screenshot

Screenshot of VPSKeys
screenshot

Installation

  • Copies and runs itself at %User%Application Data folder.

Files Installed

  • %User%Application DataJavajre6binjucheck.exe - [Detected as GAV: VBbot.V (Trojan)]
  • %User%Application DataJavajre6binzf32.dll
  • %User%Application DataVpskeys43.exe - [Detected as GAV: VulcanBot (Trojan)]

  • Program FilesAdobeAdobeUpdateManager.exe - [Detected as GAV: VBbot.V (Trojan)]]
  • Program FilesAdobezf32.dll
  • Program FilesMicrosoft OfficeOffice11OSA.exe - [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows DefenderMPClient.exe - [Detected as GAV: Dosvine_2 (Trojan) ]
  • Program FilesWindows DefenderMPSvc.exe - [Detected as GAV: Dosvine_3 (Trojan) ]
  • Program FilesJavajre6binjucheck.exe - [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesJavajre6binzf32.dll
  • Program FilesWindows NTWindows Updatewuauclt.exe - [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows NTWindows Updatezf32.dll

  • %Windir%system32mscommon.inf
  • %Windir%system32msconfig32.sys
  • %Windir%system32zf32.dll
  • %Windir%system32SetupAdobeUpdateManager.exe - [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupjucheck.exe - [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32SetupMPClient.exe - [Detected as GAV: Dosvine_2 (Trojan) ]
  • %Windir%system32SetupMPSvc.exe - [Detected as GAV: Dosvine_3 (Trojan) ]
  • %Windir%system32SetupOSA.exe - [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupwuauclt.exe - [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupzf32.dll

Registry Changes

    Added Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Data: "C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe"

    • Added to run the binary as a service

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesjucheck
    Value: ImagePath
    Data: C:Program FilesJavajre6binjucheck.exe

    • Added to run the binary on every Windows startup

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: "C:Program FilesAdobeAdobeUpdateManager.exe"
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: "C:Program FilesMicrosoft OfficeOffice11OSA.exe"
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: "C:Program FilesWindows NTWindows Updatewuauclt.exe"
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: "C:Program FilesAdobeAdobeUpdateManager.exe"
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: "C:Program FilesMicrosoft OfficeOffice11OSA.exe"
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: "C:Program FilesWindows NTWindows Updatewuauclt.exe"

    Added to run the binary on Windows Safemode

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaljucheck
    Value: @
    Data: "Service"
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkjucheck
    Value: @
    Data: "Service"

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Original Data: "C:WINDOWSSystem32userinit.exe,
    Modified Data: "C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe"

Process Created

  • jucheck.exe
  • AdobeUpdateManager.exe
  • MPsvc.exe
  • wuauclt.exe
  • OSA.exe

Network Activity

It tries to connect to the following domain:

  • adobe.ath.cx
  • blogspot.blogsite.org
  • google.homeunix.com
  • tyuqwer.dyndns.org
  • update-adobe.com
  • voanews.ath.cx
  • ymail.ath.cx

This malware is also known as W32/Vulcanbot [Mcafee], Win32/VBbot.V [Microsoft], and VBbot.A [Eset]

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Vulcanbot (Trojan), GAV: Dosvine (Trojan), GAV: Dosvine_2 (Trojan), GAV: Dosvine_3 (Trojan) and GAV: VBBot.V (Trojan) signatures.