Short description
The trojan program is designed to deliver various advertisements to the user's systems. The file is run-time compressed using UPX.
Installation
When executed, the trojan creates the following files:
- %system%\sysintm.dll (32256 B, Win32/Agent.OGA)
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Windows]
"AppInit_DLLs" = "sysintm.dll"
"LoadAppInit_DLLs" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\IntMayak]
"Config" = %variable%
The %variable% represents a random number.
This way the trojan ensures that the libraries with the following names will be injected into all running processes:
Other information
The trojan program is designed to deliver various advertisements to the user's systems.
The trojan creates and runs a new thread with its own program code within the following processes:
- chrome.exe
- firefox.exe
- iexplore.exe
- maxthon.exe
- opera.exe
- safari.exe
The trojan hooks the following Windows APIs:
- closesocket (ws2_32.dll)
- connect (ws2_32.dll)
- ioctlsocket (ws2_32.dll)
- select (ws2_32.dll)
- send (ws2_32.dll)
- recv (ws2_32.dll)
- closesocket (ws2_32.dll)
- connect (ws2_32.dll)
- ioctlsocket (ws2_32.dll)
- select (ws2_32.dll)
- send (ws2_32.dll)
- recv (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSARecv (ws2_32.dll)
- WSASocketW (ws2_32.dll)
- WSAConnect (ws2_32.dll)
- WSAWaitForMultipleEvents (ws2_32.dll)
- WSAGetOverlappedResult (ws2_32.dll)
- WSACreateEvent (ws2_32.dll)
- WSACloseEvent (ws2_32.dll)
- WSASetEvent (ws2_32.dll)
- WSAResetEvent (ws2_32.dll)
- WSAAsyncSelect (ws2_32.dll)
- WSAEnumNetworkEvents (ws2_32.dll)
- WSAEventSelect (ws2_32.dll)
When the user enters certain keywords into the browser, the trojan opens certain URLs related to them.
The following keywords are monitored:
- odnoklasniki.ru
- odnoklassniki.ru
- vkontakte.ru
The trojan opens the following URLs:
- http://91.213.174.36/promo/odnkl/
- http://91.213.174.36/promo/vk/
