Installation
TrojanDownloader:Win32/Xolondox.A is usually downloaded with a fake program name that is designed to trick you into opening and running it.
Our observations show the trojan is downloaded through Thunder (an internet download manager) by pretending to be a legitimate program or file, such as:
- Superpi.exe
- UDown_3.3.1.13.exe
- wrar420sc.exe
It may also be sent or downloaded onto your machine by pretending to be email or system files, for example:
- Hotmail.zip
- primary.eml
- Server.exe
Once run, the trojan installs the following files on your computer:
The trojan modifies the following registry entries to make sure it runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\AENGFU3AA-B933-11d2-9CBD-0000F87A369E
Sets value: "(Default)"
With data: "ver933"
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\AENGFU3AA-B933-11d2-9CBD-0000F87A369E
Sets value: "stubpath"
With data: "%windir%\Qedie\conime.exe"
Payload
Downloads other files
The trojan downloader connects to the following servers to download an image to the %TEMP% folder:
- http://127.0.0.1.jk136.com:123/<removed>/js/top.gif
- http://222.186.43.147:88/<removed>/loog.gif
- http://222.186.43.147:88/<removed>/loog4.gif
- http://dl.qvodplay.org:888/<removed>.gif
- http://hs.9ycj.com:808/sogou/<removed>/hs.gif
- http://wangma88.3322.org:888/<removed>.gif
The image includes an encrypted URL that points to an executable file on a remote server. The trojan decrypts the URL and downloads the file as "%windir%\Qedir\<random name>.exe". This is a different folder than the one where the trojan was originally downloaded. For example, "%windir%\Qedir\fcnynqdt.exe"or "%windir%\Qedir\majcqlzc.exe".
At the time of analysis, the servers were not available and we are unable to confirm the exact nature of the downloaded executable file. However, it has been seen to download other malware, including TrojanDropper:Win32/Dowque.A - a trojan that also downloads other malware.
Steals information about you and your computer
TrojanDownloader:Win32/Xolondox.A sends information that identifies your computer to a remote attacker at "http://killer.ignorelist.com:10086/images/<removed>/count.asp". This information includes your computer's MAC address (a unique code that identifies your computer) and an identifier code used by the malware.
Additional information
TrojanDownloader:Win32/Xolondox.A creates a mutex named "XLXNDXS", possibly as an infection marker to prevent multiple instances running on your computer.
Analysis by Jeong Mun