TrojanDownloader:Win32/Perkesh.gen!A is a trojan that may download arbitrary files in the system. It may also drop other malware in the system, terminate security processes, and modify the HOSTS file to prevent access to security Web sites.
Installation
Upon execution, TrojanDownloader:Win32/Perkesh.gen!A drops the following files in the system:
- %TEMP%\<random name 1>.dll (for example: dll812.dll) - detected as Trojan:Win32/Perkesh.A
- <system folder>\appwinproc.dll - also detected as Trojan:Win32/Perkesh.A
- <system folder>\<random name 2>.dll (for example: nskhelper2.sys) - detected as TrojanDownloader:Win32/Perkesh.gen!A
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It checks if there are any running processes with the following names, and exits if any are found:
OllyICE.exe
PEditor.exe
LordPE.exe
C32Asm.exe
ImportREC.exe
These files are usually used to detect malicious activities on a system.
Payload
Prevents access to security Web sites
TrojanDownloader:Win32/Perkesh.gen!A modifies the HOSTS file to prevent access to security Web sites, such as the following:
360.qihoo.com
bbs.sucop.com
dl.jiangmin.com
jiangmin.com
kaspersky.com.cn
rising.com.cn
shadu.duba.net
tool.ikaka.com
union.kingsoft.com
virustotal.com
www.360.cn
www.360safe.cn
www.360safe.com
www.chinakv.com
www.cnnod32.cn
www.dswlab.com
www.duba.net
www.eset.com.cn
www.jiangmin.com
www.kaspersky.com
www.kaspersky.com.cn
www.lanniao.org
www.nod32.com
www.nod32club.com
www.rising.com.cn
www.virustotal.com
The HOSTS file is modified with the above entries pointing to the address 127.0.0.1, which is the localhost.
Terminates security processes
TrojanDownloader:Win32/Perkesh.gen!A may attempt to terminate security processes, such as the following:
360safebox.exe
360tray.exe
ackwin32.exe
anti-trojan.exe
atrack.exe
autodown.exe
avconsol.exe
ave32.exe
avgctrl.exe
avkserv.exe
avpupd.exe
avsched32.exe
avwin95.exe
blackd.exe
blackice.exe
ccenter.exe
cfiadmin.exe
cfiaudit.exe
cfind.exe
claw95.exe
claw95ct.exe
cleaner.exe
cleaner3.exe
davpfw.exe
dv95.exe
dv95_o.exe
dvp95.exe
ecengine.exe
efinet32.exe
esafe.exe
espwatch.exe
f-agnt95.exe
f-prot.exe
f-stopw.exe
findviru.exe
fp-win.exe
frw.exe
iamapp.exe
iamserv.exe
ibmasn.exe
ibmavsp.exe
icload95.exe
icloadnt.exe
icmoon.exe
icssuppnt.exe
icesword.exe
jed.exe
kpfw32.exe
kppmain.exe
krf.exe
kvmonxp.exe
kvprescan.exe
kabackreport.exe
kasmain.exe
lookout.exe
lucomserver.exe
moolive.exe
mpftray.exe
n32acan.exe
navlu32.exe
navnt.exe
navsched.exe
navw.exe
navw32.exe
navwnt.exe
nmain.exe
normist.exe
nupgrade.exe
nvc95.exe
outpost.exe
padmin.exe
pavcl.exe
pccclient.exe
pcfwallicon.exe
persfw.exe
ppppwallrun.exe
rav7.exe
rav.exe
ravmon.exe
ravmond.exe
ravstub.exe
ravtask.exe
rfw.exe
scan32.exe
scanpm.exe
scrscan.exe
serv95.exe
smc.exe
sphinx.exe
sweep95.exe
tbscan.exe
tca.exe
tds2-98.exe
tds2-nt.exe
tmoagent.exe
tsc.exe
tmntsrv.exe
ulibcfg.exe
vet95.exe
vettray.exe
vpc32.exe
vsecomr.exe
vshwin32.exe
vsscan40
webscan.exe
webscanx.exe
wfindv32.exe
xdelbox.exe
zonealarm.exe
anti.exe
antivir.exe
atrack.exe
avk.exe
avsynmgr.exe
avxonsol.exe
cfinet.exe
cfinet32.exe
dbg.exe
debu.exe
explorewclass.exe
f-prot95.exe
f-stopw.exe
fir.exe
fp-win.exe
ice.exe
iom.exe
iomon98.exe
kav32.exe
kavstart.exe
kissvc.exe
kpfw32.exe
kpfwsvc.exe
kwatch.exe
lamapp.exe
lockdown2000.exe
luall.exe
mcafee.exe
microsoft.exe
mon.exe
moniker.exe
ms.exe
navapsvc.exe
navapw32.exe
navrunr.exe
navwnt.exe
nisserv.exe
nisum.exe
norton.exe
pcc.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccwin98.exe
program.exe
prot.exe
pview95.exe
ras.exe
rav7win.exe
regedit.exe
rescue32.exe
rn.exe
safeboxtray.exe
safeweb.exe
scam32.exe
scan.exe
scon.exe
secu.exe
sirc32.exe
smtpsvc.exe
spy.exe
sreng.exe
symproxysvc.exe
tmproxy.exe
tmupdito.exe
vavrunr.exe
vir.exe
vshwin32.exe
vsstat.exe
webtrap.exe
wink.exe
zonealarm.exe
Accesses other systems
TrojanDownloader:Win32/Perkesh.gen!A may attempt to use the MS08-067 vulnerability to access other systems. It may seek out systems within the network that do not have a security update applied for the
MS08-067 Security Bulletin.
Downloads arbitrary files
TrojanDownloader:Win32/Perkesh.gen!A may attempt to download arbitrary files.
Drops other malware
TrojanDownloader:Win32/Perkesh.gen!A drops other malware, as discussed in the
Installation section. These files are detected as
Trojan:Win32/Perkesh.A.
Sends sensitive information
TrojanDownloader:Win32/Perkesh.gen!A attempts to send various sensitive information, such as the system's MAC address and operating system, to a remote server.
Analysis by Andrei Florin Saygo
