HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan HORST

Original issue date: November 20, 2006

It has been observed that Trojan HORST is spreading in the wild via a bot family MEDBOT . The said Trojan acts as a proxy server on the affected system and listens to the random TCP port. It receives a request from the user and forwards it to the target server. Upon receiving a reply from the server it forwards the reply to the requested user. This mechanism is purposely used for hiding the identity of malicious remote attacker.

Variants : TROJ_HORST.GF, TROJ_HORST.CK, TROJ_HORST.GM,  TROJ_HORST.GL, TROJ_HORST.GN [ Trend Micro ]

Upon execution the HORST variants

  • Drops copy of itself as SMSS.EXE in the Windows SYSTEM folder.
  • Creates the following registry entry to ensure its automatic execution at every system startup such as

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run
    .nvsvc = "%Windows%\system\smss.exe /w"
  • Creates the following registry entries as a part of installation routine

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List {Malware path and file name} = "{Malware path and file name}:*:Enabled: Microsoft Update"

    HKEY_CURRENT_USER\Software\Microsoft\PModule
  • Disables the window update service.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\wuauserv
    Start = "4"
  • Terminates the following antivirus and security-related processes found running on the affected system:
    • KAVPersonal50
    • kavsvc
    • SAVScan
    • Symantec Core LC
    • wscsvc
    • wuauserv

Users are advised to implement the following countermeasures:

  • Keep update Anti-Virus Signatures.
  • Maintain Anti-Spam solution at the gateway level
  • Apply appropriate security updates at the OS level and applications such as web browsers.
  • Keep update Anti-Spywares.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FHORST%2ECK
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FHORST%2EGF
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FHORST%2EGL
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FHORST%2EGM
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FHORST%2EGN

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003