HOME > VIRUS ALERTS


VIRUS ALERTS

Conhook Trojan

Original issue date: November 30, 2007

It has been observed that a Trojan called “Conhook” and its variants are spreading widely. The Trojan propagates by being dropped by other malware or by pretending to be harmless file which gets downloaded by innocent users while navigating some malicious websites.

This Trojan bypasses permission-based firewalls and use Background Intelligence Transfer Services (BITS) to download malware on the compromised computer and binds itself with the running processes such as Explorer.exe and Winlogon.exe.
Background Intelligence Transfer Service (BITS) is a service of Operating System which is used by Windows for downloading latest patches for the Operating System.

Some variants such as Win32/Conhook.B installs itself as Browser helper object (BHO) and terminates specific security services.
Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality to the Web Browser.

Aliases : Trojan-Downloader.Win32.ConHook.b [Kaspersky Lab], Downloader-ZM [McAfee], Trojan Horse [Symantec], Trj/Downloader.CCX [Panda]

Upon execution , the Trojan variants:

•  Installs itself to the <system folder> as a .DLL with a
random five letter name such as 'hsujl.dll'.
The default location of the Windows system folder is
C:\Windows\System32 (Windows XP, Vista ); C:\Winnt
\System32 (Windows NT/2000), C:\Windows\System
(Windows 95/98/ME)

•  Modifies the registry to load the Trojan at Windows startup:

•  Adds value: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
To subkey: HKEY_CLASSES_ROOT\CLSID

•  Adds value: InprocServer32
With data: <system folder>\<Trojan filename>
To subkey:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}

•  Adds value: {EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}
To subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\ShellExecuteHooks

•  Adds value: <Trojan filename>
To subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Winlogon\Notify

•  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dstr5

•  HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Rasap2K

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Rasap2 K

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Rasap2 K

•  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dstr5

•  Creates one of these keys within the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID:
{40910BCF-0B02-417e-8C81-BC2124376133}\InprocServer32\
{64A31598-EEEC-4f1d-8D04-DACC1E2D5407}\InprocServer32\
{A5A925F3-6B88-4138-8092-16D95CD50D91}\InprocServer32\
{B8FD9F6C-AA0E-4fc3-A239-1C9A0CD80D47}\InprocServer32\
{DD13730A-FBA1-4f91-AB25-7FEB0563D33B}\InprocServer32\
With value: InprocServer32\<value> = "<system folder>\<random file name>.dll"

•  Creates one of these keys within the subkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects:

{40910BCF-0B02-417e-8C81-BC2124376133}
{64A31598-EEEC-4f1d-8D04-DACC1E2D5407}
{A5A925F3-6B88-4138-8092-16D95CD50D91}
{B8FD9F6C-AA0E-4fc3-A239-1C9A0CD80D47}
{DD13730A-FBA1-4f91-AB25-7FEB0563D33B}

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Notify\
DllName = "<system folder>\<random file name>.dll"

•  Modifies the following registry entry:
Set "(default)" = "4877f10167414601835343328a816dfa"
In subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC
Set "ProxyBypass" = "1"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\ZoneMap\

•  Connects to a remote Web site to download content using a
server-side script

•  Creates mutex names "awx_mutant and "_ConsprMutex"

•  Injects code into Explorer.exe and Winlogon.exe

•  Injects code into "ad-aware.exe" to run code in an existing process

•  Attempts to terminate any running process named "gcasservalert.exe"


In view of rapid propagation of the Conhook Trojan variants, users are advised to implement the following countermeasures:

  • Configure Desktop firewall in a way that download jobs created with BITS should be restricted to only trusted URLs
  • Delete the registry keys made by the Trojan mentioned above
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Keep up-to-date on patches and fixes on the operating system
  • Install and maintain Desktop Firewall and block the ports and programs which are not required

References

Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan
:Win32/Conhook.A
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan
:Win32/Conhook.B
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan
:Win32/Conhook.D

Symantec
http://www.symantec.com/security_response/writeup.jsp?docid=
2003-120914-4108-99&tabid=1

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_VUNDO.BB

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003