Trojan:Win32/Trooti is a trojan that connects to a remote website to post data from an infected computer, and installs a dropped DLL as a Windows NT service.
Installation
%windir%\ime\wmimachine2.dll
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
Sets value: NextInstance
With data: dword:00000001
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000
Sets value: Service
With data: "6to4"
Sets value: Legacy
With data: dword:00000001
Sets value: ConfigFlags
With data: dword:00000000
Sets value: Class
With data: "LegacyDriver"
Sets value: ClassGUID
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: DeviceDesc
With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control
Sets value: *NewlyCreated*
With data: dword:00000000
Sets value: ActiveService
With data: "6to4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: Type
With data: dword:00000020
Sets value: Start
With data: dword:00000002
Sets value: ErrorControl
With data: dword:00000001
Sets value: ImagePath
With data: '%SystemRoot%\\system32\\svchost.exe -k netsvcs'
Sets value: DisplayName
With data: ".NET Runtime Optimization Service v2.086521.BackUp_X86"
Sets value: ObjectName
With data: "LocalSystem"
Sets value: Description
With data: "Microsoft .NET Framework NGEN"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: ServiceDll
With data: 'C:\WINDOWS\ime\wmimachine2.dll'
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Security
Sets value: Security
With data: hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum
Sets value: 0
With data: "Root\LEGACY_6TO4\0000"
Sets value: Count
With data: dword:00000001
Sets value: NextInstance
With data: dword:00000001
The trojan then deletes the original %windir%\ime\\wmimachine.dll file by creating the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager PendingFileRenameOperations
Sets value: PendingFileRenameOperations
With data: \\??\\C:\\WINDOWS\\ime\\wmimachine.dll
Payload
Connects to remote websites
Trojan:Win32/Trooti attempts to connect to the following website to post data from infected machine:
http://tro2.6600.org:2/index.asp
Analysis by Rex Plantado