Trojan targeting Vietnamese Speakers (Apr 2, 2010)

SonicWALL UTM Research team observed reports of a new Trojan targeting Vietnamese speakers reported by Google here. Authors of this malware repackaged the binary together with Vietnamese keyboard driver VPSKeys. VPSKeys is a legitimate application that provides Vietnamese keyboard support to Windows users.

Users who downloaded this keyboard driver may not be aware that it is a tampered version since both the VPSKeys installer and the malicious binary looks the same except for the file size discrepancy.

Screenshot of VPSKeys

Installation

• Copies and runs itself at %User%Application Data folder.

Files Installed

• %User%Application DataJavajre6binjucheck.exe -
• %User%Application DataJavajre6binzf32.dll
• %User%Application DataVpskeys43.exe -
• Program FilesAdobeAdobeUpdateManager.exe - ]
• Program FilesAdobezf32.dll
• Program FilesMicrosoft OfficeOffice11OSA.exe -
• Program FilesWindows DefenderMPClient.exe -
• Program FilesWindows DefenderMPSvc.exe -
• Program FilesJavajre6binjucheck.exe -
• Program FilesJavajre6binzf32.dll
• Program FilesWindows NTWindows Updatewuauclt.exe -
• Program FilesWindows NTWindows Updatezf32.dll
• %Windir%system32mscommon.inf
• %Windir%system32msconfig32.sys
• %Windir%system32zf32.dll
• %Windir%system32SetupAdobeUpdateManager.exe -
• %Windir%system32Setupjucheck.exe -
• %Windir%system32SetupMPClient.exe -
• %Windir%system32SetupMPSvc.exe -
• %Windir%system32SetupOSA.exe -
• %Windir%system32Setupwuauclt.exe -
• %Windir%system32Setupzf32.dll

Registry Changes

Added Registry
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  Value: Userinit
  Data: "C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe"

Added to run the binary as a service

• Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesjucheck
  Value: ImagePath
  Data: C:Program FilesJavajre6binjucheck.exe

Added to run the binary on every Windows startup

• Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
  Value: Adobe Update Manager
  Data: "C:Program FilesAdobeAdobeUpdateManager.exe"
• Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
  Value: Microsoft Office quick launch
  Data: "C:Program FilesMicrosoft OfficeOffice11OSA.exe"
• Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
  Value: Windows Update Automatic Updates
  Data: "C:Program FilesWindows NTWindows Updatewuauclt.exe"
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: Adobe Update Manager
  Data: "C:Program FilesAdobeAdobeUpdateManager.exe"
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: Microsoft Office quick launch
  Data: "C:Program FilesMicrosoft OfficeOffice11OSA.exe"
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: Windows Update Automatic Updates
  Data: "C:Program FilesWindows NTWindows Updatewuauclt.exe"

  Added to run the binary on Windows Safemode

• Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaljucheck
  Value: @
  Data: "Service"
• Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkjucheck
  Value: @
  Data: "Service"

Modified Registry
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  Value: Userinit
  Original Data: "C:WINDOWSSystem32userinit.exe,
  Modified Data: "C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe"

Process Created

• jucheck.exe
• AdobeUpdateManager.exe
• MPsvc.exe
• wuauclt.exe
• OSA.exe

Network Activity

It tries to connect to the following domain:

• adobe.ath.cx
• blogspot.blogsite.org
• google.homeunix.com
• tyuqwer.dyndns.org
• update-adobe.com
• voanews.ath.cx
• ymail.ath.cx

This malware is also known as W32/Vulcanbot , Win32/VBbot.V , and VBbot.A

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Vulcanbot (Trojan), GAV: Dosvine (Trojan), GAV: Dosvine_2 (Trojan), GAV: Dosvine_3 (Trojan) and GAV: VBBot.V (Trojan) signatures.