Trojan:Win32/Dogrobot.gen!J is generic detection for a trojan component that modifies Windows settings and terminates a security-related process.
Installation
Trojan:Win32/Dogrobot.gen!J may be installed by
Backdoor:Win32/Farfli.I and may be present as one of the following:
%windir%\jiocs.dll
%windir%\winsp.dll
%windir%\system32\drivers\winsawids.sys
%windir%\system32\drivers\kisawids.sys
The DLL component is executed via the Windows utility "rundll32.exe" as in the following example:
rundll32.exe %windir%\<malware DLL name>.dll MyEntryPoint
When Trojan:Win32/Dogrobot.gen!J is loaded, it creates a mutex "xxvv" to make sure only one instance of it is running in memory.
Payload
Creates service
Service Name: KKCC
Display Name: KKCC
Image Path Name: <system folder>\drivers\winsawids.sys
Terminates security-related process
The trojan enumerates running processes. If a process name contains "avp.exe" it attempts to kill the process by running "taskkill /f /t /im <process name>".
Changes Windows settings
The trojan modifies the registry to run "svchost.exe" in place of "Thunder5.exe".
Adds key: "Thunder5.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Adds value: "Debugger"
With data: "svchost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe
In this way, "svchost.exe" is run instead of "thunder5.exe".
Additional Information
The program "thunder5.exe" is associated with Thunder Networking Technology (also known as Xunlei, a download manager). When it runs, it executes components installed in the "Thunder Network" program folder which can include antivirus plugins for Beijing Rising Antivirus (RAV).
Analysis by Hong Jia
