Threat behavior
TrojanDownloader:Win32/Dyfuca.ZVB software provides the ability to search for adult content on local disks. The software may also install programs that display pop-up advertisements that are targeted based on the current user's Web-browsing activity. These programs may run in the background so that it is not readily apparent that they are the agents delivering the advertising. TrojanDownloader:Win32/Dyfuca.ZVB may also install other unwanted software and it may install a browser helper object.
When TrojanDownloader:Win32/Small!AA7A runs, it does the following:
-
Drops file "ucffhpca.exe" under directory %windir%
-
Modifies the registry to load this copy of itself when Windows is started:
Set "ucffhpca" = "%windir%\ucffhpca.exe", under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
%windir%\ucffhpca.exe does the following:
"tcb.pmw"
"ucffhpc.exe"
"offun.exe"
"srvbwfwngw.exe"
"srveghcxhp.exe"
-
Modifies the following registry entry:
Set "DisplayName" = "windows overlay components", under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
-
Launches the file %windir%\ucffhpc.exe, by running "C:\WINDOWS\ucffhpc.exe" -i
-
Launches the file %windir%\ucffhpca.exe, by running "C:\WINDOWS\ucffhpca.exe"
-
Launches the file %windir%\srvbwfwngw.exe, by running "C:\WINDOWS\srvbwfwngw.exe"
-
Launches the file %windir%\srveghcxhp.exe, by running "C:\WINDOWS\srveghcxhp.exe"
%windir%\ucffhpc.exe may do the following:
-
Drops file "ucffhpc.exe" under directory %windir%
-
Modifies the following registry entry:
Adds value: ucffhpcA
With data: %windir%\ucffhpca.exe
To subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%windir%\srvbwfwngw.exe may do the following:
-
Drops file "optimize.exe" under directory "%ProgramFiles%\internet optimizer"
-
Drops file "d642018b883da684e9c7dcbbfa2f2836_b25ca6b5-6a2b-4341-a863-da8dd7afbc1d" under directory c:\documents and settings\administrator\application data\microsoft\crypto\rsa\s-1-5-21-1659004503-920026266-1343024091-500
-
Modifies the following registry entry:
Set "TargetDir" = "c\rga ie\nentotmzr"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
Set "Internet Optimizer" = ""c:\program files\internet optimizer\optimize.exe""
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Set "DisplayIcon" = "c:\program files\internet optimizer\optimize.exe"
In subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer
Set "Comment" = "¦eú.ñj1+"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout
-
Launches the file %ProgramFiles%\internet optimizer\optimize.exe
%windir%\srveghcxhp.exe may do the following:
-
Drops file "psdream.exe" under directory c:\program files\psdream
-
Drops file "uninstall.exe" under directory c:\program files\psdream
-
Modifies the following registry entry:
Set "psdream" = ""c:\program files\psdream\psdream.exe"", under key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Set "aid" = "3", under key
HKEY_CURRENT_USER\Software\psdream
C:\Program Files\internet optimizer\optimize.exe may do the following:
-
Downloads a file "xml" from a remote Web site
-
Set "TargetDir" = "c\rga ie\nentotmzr"
In subkey: HKEY_LOCAL_MACHINE\Software\Avenue Media\Internet Optimizer
-
Set "Internet Optimizer" = ""C:\Program Files\internet optimizer\optimize.exe""
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-
Set "ProxyBypass" = "1"
In subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
C:\Program Files\psdream\psdream.exe may do the following:
-
Tests Internet connectivity by first attempting a standard TCP port 80 connection to www.microsoft.com
-
Attempts to connect to a remote Web site and download a file "zx-install.php"
-
Modifies the following registry entry:
Set "Version" = "5"
In subkey: HKEY_CURRENT_USER\Software\PSDream
-
Set "ProxyBypass" = "1"
In subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Prevention
