Trojan:Win32/Refpron.gen is a trojan that installs a service that allows it to periodically download and execute arbitrary files from a remote server.
Installation
Trojan:Win32/Refpron.gen runs from its original location, and is most likely installed by another piece of malware. It has been observed using filenames such as the following:
perfs.exe
routing.exe
WServing.exe
AFinding.exe
Nobicyt.exe
sobicyt.exe
tdxdowkc.exe
afisicx.exe
sotpeca.exe
wsldoekd.exe
macidwe.exe
roxtctm.exe
soxpeca.exe
mabidwe.exe
solewxte.exe
In order to run it requires that the clean Borland library file, rtl60.bpl be present on the affected system
It writes a 9 digit version number to <system folder>\comsa32.sys and sets the timestamp of this file to be the same as that of <system folder>\comcat.dll.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also copies the clean system file <system folder>\urlmon.dll to %Temp%\mta<up to 6 random digits>.dll.
Trojan:Win32/Refpron.gen may make the following modifications to the registry:
To key: HKLM\SOFTWARE\Microsoft\WBEM\
Adds value: BuildW
With data: <encrypted name of file to be downloaded>
Examples of these values include the following:
d9bTjNwo6cvKYA
PlAdkM3dDgnvV+L
XBpzhoYHmRhuBQC
BdU9Nc3qmVpBIJF
Adds value: _<first 2 chars of filename>
With data: <process id as a string>
Add value: ud<first 2 chars of filename>
(for example, “udpe” or “udRo” for perfs.exe and routing.exe respectively)
With Data: <encrypted location of copied dll>
Add value: m<first 2 chars of filename>
With Data: <encrypted string>
If launched with a particular command line option, it installs itself as a service with the name “perfmons Service” or “Routing Service”.
This service is started if the malware is run again without the command line option, or if the system is restarted.
Payload
Downloads and Executes Arbitrary Files
Once started, the trojan’s service connects to a remote server, which at the time of publication was bfkq.com, and sends information about the user's current operating system. The server may respond with a location from which to download further files.
The trojan then checks whether the clean Borland library file <system folder>\rtl60.bpl is present and will download and save it if not. It also downloads a further file, which it saves to the System directory using a filename specified by the particular variant, and then executes.
The following filenames have been observed being used by variants in the wild:
sxwand.sys
yaxcnxd.sys
atsxyzd.sys
otaxyzd.sys
tpszxyd.sys
At the time of publication this file was a variant of Backdoor:Win32/Refpron. See the
Backdoor:Win32/Refpron.D description for an example.
If the attempt to download these files from the provided location fails, the trojan may instead attempt to download the files from one of a number of pre-stored locations, which at the time of publication included the following locations:
74.54.201.210
74.54.89.66
cooleezq6.vicp.net
cnwebmastersblog.com
The malware stores the time it previously downloaded these files in the following registry entry
HKLM\SOFTWARE\Microsoft\WBEM\Update
It uses this registry entry to determine when it should next attempt to download the files.
Additional Information
This malware was previously detected with the name Trojan:Win32/Tiniment.gen.
Analysis by David Wood
