Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Olmarik.XG

Aliases:Trojan.Win32.Tdss.bage (Kaspersky), Trojan:Win32/Alureon.CT (Microsoft), DNSChanger.bf (McAfee) 
Type of infiltration:Trojan  
Size:89600 B 
Affected platforms:Microsoft Windows 
Signature database version:5020 (20100412) 

Short description

The trojan contains a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:
  • %temp%%random1%.tmp (31232 B)
  • %temp%%random2%.tmp (89600 B)
A string with variable content is used instead of %random1-2%.

The following files are modified:
  • %system%drivers*.sys
It avoids files with the following filenames:
  • fvevol.sys
  • ksecdd.sys
  • win32k.sys
  • pci.sys
The modified file contains the original program code along with the program code of the infiltration.

The size of the inserted code is 396 B.

The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESystemCurrentControlSetServices
    %random3%]
    "ImagePath" = "%temp%%random1%.tmp"
    "Type" = 1
A string with variable content is used instead of %random3%.

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:
  • a list of recently visited URLs
  • operating system version
The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (18) URLs. The HTTP, HTTPS protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer
    MainFeatureControlFEATURE_BROWSER_EMULATION]
    "svchost.exe" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "MaxHttpRedirects" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "EnableHttp1_1" = 1
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer
    MainFeatureControlFEATURE_BROWSER_EMULATION]
    "svchost.exe" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "MaxHttpRedirects" = 8000
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet Settings]
    "EnableHttp1_1" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Internet SettingsZones3]
    "CurrentLevel" = 0
    "1601" = 0
    "1400" = 0
The trojan can write its own data to the end of the physical drive.