Threat behavior
TrojanDownloader:Win32/Dogkild.D is a trojan that downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software.
Installation
TrojanDownloader:Win32/Dogkild.D copies itself to <system folder>\scvhost.exe and modifies the registry to execute this copy at each Windows start:
Adds value: "RsTray"
With data: "<system folder>\scvhost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
TrojanDownloader:Win32/Dogkild.D may consist of several components. It may drop the following files to the affected system:
-
<system folder>\killdll.dll (detected as TrojanDownloader:Win32/Dogkild.H)
-
<system folder>\drivers\pcidump.sys (detected as VirTool:WinNT/Dogrobot.gen!K)
-
%windir%\update~.exe (detected as TrojanDownloader:Win32/Dogrobot.D)
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Dogkild.D contacts remote hosts in order to download and execute files of the attacker's choice on the affected machine. In the wild, TrojanDownloader:Win32/Dogkild.D has been observed contacting the following domain for this purpose:
Compromises system restore
Win32/Dogkild attempts to overwrite the system file userinit.exe with a low level disk operation. This action may bypass the protection offered by System Restore hardware and software as the integrity of restore settings may be lost.
Modifies hosts file
Win32/Dogkild may replace the Windows Hosts file with a file that it downloads from a remote host. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
Terminates processes
Win32/Dogkild attempts to terminate the following processes - these processes are related to antivirus software:
CCENTER.EXE
KAVStart.exe
avp.exe
ekrn.exe
egui.exe
KwatchSvc.exe
Modifies system security settings
Win32/Dogkild also attempts to disable the following antivirus related services:
RavTask
RsScanSrv
RavTray
RsRavMon
ekrn
KwatchSvc
kaccore
KISSvc
Analysis by Chun Feng
Prevention