Trojan Win32.Chymine
Original issue date:
July
28, 2010
It has been observed that a trojan family dubbed as Chymine is prevalent. It is reported to have been exploiting a recently disclosed zero day vulnerability ( CIVN-2010-169 , CVE-2010-2568 ) in Microsoft Windows which fails to properly handle shortcut files
(.PIF, .LNK).
The trojan may be dropped by other malware or dropped when visiting malicious sites. It arrives as a DLL file and lunched and executed by other malware such as Exploit.Win32.CplLnk.A .
Once installed, it drops further malware like keyloggers in to the infected system and registers itself as a system service to ensure its automatic execution at every system startup by creating appropriate registry keys/entries.
Aliases:
Trojan-Downloader:W32/Chymine.A(F-ecure),Backdoor.Trojan(Symantec),Trojan:Win32/Chymine.A (Microsoft), Trojan-Downloader.Win32.Chymine [Ikarus], Trojan-Downloader.Win32.Tiny.cmq [Kaspersky Lab]
Upon execution the trojan variants:
- Drops the files
- %System Root%\Documents and Settings\All Users\
rundll32(MD5: 0x75AF555E55689DB1647B0C6B73BFF4B3)
- %LocalSettings%\ Random File Name}.exe(MD5: 0x8358193945474F68A2D498CBED8EB97E)
- %System%\{4 Random Numbers}~1\.dll
(copy of the trojan with rootkit capabilities)
- Creates the registry keys
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Enum\Root\
LEGACY_IPRIP
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Enum\Root\
LEGACY_IPRIP\0000
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Enum\Root\LEGACY_IPRIP\
0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\Iprip
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\Iprip\
Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\Iprip\
Security
- HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\Iprip\
Enum
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Enum\Root\
LEGACY_IPRIP
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Enum\Root\
LEGACY_IPRIP\0000
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Enum\Root\
LEGACY_IPRIP\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Iprip
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\
Iprip\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\
Iprip\Security
- HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\
Iprip\Enum
- Injected into the following processes
- Request to the following hosts
- http : //{removed}c. laws. Ms
- 205.209.171.[removed]
Countermeasures:
- Delete files and the registry entries made by the Chymine trojan mentioned above
- Install and maintain updated anti-virus software at gateway and desktop level
- Apply appropriate patches as mentioned in CERT-In vulnerability note (CIVN-2010-169)
- Use caution when opening attachments and accepting file transfers.
- Use caution when clicking on links to web pages.
References
http://www.threatexpert.com/report.aspx?md5=9afa135ded996b7
e2512645166b00e10
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_CHYMINE.A&VSect=T
http://www.microsoft.com/technet/security/advisory/2286198.mspx
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=TrojanDownloader%3aWin32%2fChymine.A
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
