Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan copies itself into the following location:

C:\WINDOWS\system32\sstts.exe

The following files are dropped in the same folder:

sstts.dll (Win32/Adware.Virtumonde.FP)

sttss.ini

sttss.ini2

The libraries with the following names are injected into all running processes:

sstts.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\WINDOWS\system32\sstts.exe"

 

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages" = "msv1_0 C:\WINDOWS\system32\sstts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\SYSTEM\CurrentVersion\Explorer\Browser Helper Objects]
"{%variable CLSID%}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{%variable CLSID%}\InprocServer32]
"(Default)" = "C:\WINDOWS\system32\sstts.exe"
"ThreadingModel" = "Both"

 

A string with variable content is used instead of %variable CLSID%.


Executable files infection

The adware infects executable files. The host file is modified in a way that causes the trojan to be executed prior to running the original code. The adware infects files by inserting the original code into the resources section of the infiltration.

When an infected file is executed, the original program is being dropped into a temporary file and run.


Other information

The adware displays dialogs within the Internet browser with warnings about possible threats detected on the compromised computer that need to be removed.

The adware is sent data and commands from a remote computer or the Internet. The adware contains a list of URLs. HTTP protocol is used in the communication.

Some examples follow.

Example [1.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_AL_-_small.jpg>

Example [2.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_AM_-_small.jpg>

Example [3.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_CB_-_small.jpg>

Example [4.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_BJ_-_small.jpg>

Example [5.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_BN_-_small.jpg>


Example [6.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_CM_-_small.jpg>

The downloaded programs try to appear to be legitimate and useful. The goal of these programs is to persuade the user to purchase them.

Example [7.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_AH_-_small.jpg>

Example [8.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_BZ_-_small.jpg>


During the registration of the adware the user may be redirected to one of the following Internet web sites:

http://www.antivirussecuritypro.com

http://www.drivecleaner.com

http://www.systemdoctor.com

http://www.winantivirus.com

http://www.winantiviruspro.com

http://www.sysprotect.com

http://www.errorprotector.com

http://www.amaena.com

http://www.winantispyware.com

http://www.errorsafe.com

http://www.winfirewall.com

http://www.winpopupguard.com

http://www.winantispy.com

http://www.windrivecleaner.com

http://www.stopguard.com

http://www.virusguard.com

http://www.winfixer.com



Example [9.]:
viruses/Win32.Adware.Virtumonde.FP.Application_example_BY_-_60_.jpg width=768>

The adware may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\FCOVM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\RemoveRP]

 

The adware alters the behavior of the following processes:

lsass.exe

ad-aware.exe

wrsssdk.exe

hijackthis.exe

firefox.exe

mozilla.exe