HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan Clampi

Original issue date: January 23, 2008

It has been observed that Trojan Clampi is spreading in the wild. This Trojan gets downloaded on the system while visiting infected website without user’s knowledge with random name at location “C:\”. The infected websites are victim of the mass attack launched against Linux/Apache server. Downloaded malware can steal credentials such as usernames, passwords, credit card numbers, and online payment accounts from compromised system.

Malware further connects to some websites for malicious activities.

Trojan is also detected as Win32.Trojan-Downloader.Agent.hlp (CAT-QuickHeal), Virus.Win32.Agent.hlp (Kaspersky), Trojan:Win32/Ilomo.gen!A (Microsoft).

Upon execution the Trojan:

Creates following files:

  • %UserProifile%\Administrator\Local Settings\Temp\[ORIGINAL FILE NAME].exe
  • %System%\regscan.exe

Creates following following registry keys:

  • To make sure execution of malware at every startup:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "" = C:\WINDOWS\system32\regscan.exe
  • To open TCP port 64758 at firewall:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
    \Services\SharedAccess\Parameters\Firewall
    Policy\StandardProfile\GloballyOpenPorts\List
    "" = 64758:TCP:*:Enabled:PORT_64758
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    GloballyOpenPorts\List "" =64758:TCP:*:Enabled:PORT_64758
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 4 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 95 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 256 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 4 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 24 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 3230 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ Settings "" =[REG_BINARY,HKEY_CURRENT_USER\Software\
    Microsoft\Internet Explorer\Settings "" = [REG_BINARY,
    size: 89756 bytes]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
    Settings "" = [REG_BINARY, size: 71972 bytes]

Listen for connections from following websites on TCP port 64758

  • Anamality DOT info
  • Criticalfactor DOT cc
  • Wiredx DOT in

In view of rapid propagation of the Trojan, users are advised to implement following countermeasures:

  • Delete/unregister Executables/DLLs used by the Trojan with the abovementioned names
  • Delete the registry keys made by the Trojan mentioned
    above
  • Follow the following steps to delete locally stored username and password/credentials/privileges and check the settings regularly

       Internet Explorer :

  • Right-click 'Internet Explorer' icon, Select 'Internet Options' from the menu
    OR
    Open 'Internet Explorer' , click Tools from the menu, click 'Internet Options'
  • In 'Internet Options' windows General Tab, under 'Browsing history' heading click 'Delete'
  • In 'Delete Browsing History' window click 'Delete all' Tab
  • Again sub Window of 'Delete Browsing History' will open
  • Select 'Also delete files and settings stored by add-ons'
  • click Yes
  • Click on 'Advanced Tab'
  • Under 'settings' heading scroll down for 'security' sub -head
  • Select 'Empty Temporary Internet Files folder when browser is closed'
  • click OK

Mozilla Firefox:

  • Open 'Mozilla Firefox' Browser
  • Click on Tools menu, Select 'Privacy' Tab
  • Under History heading
    Uncheck 'Remember what I enter in forms and search bar'
  • Under Private Data heading
    Select 'Always clear my private data when I close Firefox'
  • Click on 'Settings' tab under Private Data heading
  • In 'Clear Private Data' window, Select all components
  • Click OK to close 'Clear Private Data' window
  • Select 'Security' tab from 'options' window
  • Under 'Passwords' heading, uncheck 'Remember' password for site'
  • click OK to close 'Options' window.
    After configuring above-mentioned settings whenever a user closes the 'Mozilla Firefox' Application 'Clear Private Data' Window will appear.
  • Select 'Clear Private Data Now'
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the operating system and application software.
  • Install and maintain Desktop Firewall and block the ports which are not required
  • Install and maintain Host Based Intrusion Prevention System
  • In case it is suspected that financial or personal information is compromised , immediately contact concerned financial institution/Bank and report the same

References

http://www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99&tabid=2
http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003