Malware Trojan.PWS.Panda.2395

Posted: October 15, 2012 in Encyclopedia viruses
Tags:

Virus AlertMalware: Trojan.PWS.Panda.2395

Technical information

To ensure autorun and distribution:

Modifies the following registry keys:

  • \Software\Microsoft\Windows\CurrentVersion\Run] ‘{1D476073-5E7F-AD41-B897-60D4A63F43C6}’ = ‘”%APPDATA%\Ubbifa\ykud.exe”ь”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] ‘{1D476073-5E7F-AD41-B897-60D4A63F43C6}’ = “% APPDATA% \ Ubbifa \ ykud.exe”

Malicious functions:

To bypass the firewall removes or modifies the following registry keys:

  • \SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] ‘DisableNotifications’ = 00000001″>[<HKLM> \ SYSTEM \ ControlSet001 \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile] ‘DisableNotifications’ = 00000001

Creates and executes:

  • % APPDATA% \ Ubbifa \ ykud.exe

Injects code into the following system processes:

  • \ctfmon.exe”><SYSTEM32> \ Ctfmon.exe
  • a large number of user processes.

Modifies your browser Windows Internet Explorer:

  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] ‘1609’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 3] ‘1609 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] ‘1406’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 3] ‘1406 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] ‘1609’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 4] ‘1609 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] ‘1406’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 4] ‘1406 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] ‘1406’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 1] ‘1406 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones] ‘1609’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0] ‘1609 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] ‘1609’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 2] ‘1609 ‘= ‘00000000’
  • \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] ‘1609’ = ‘00000000’”>[<HKCU> \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 1] ‘1609 ‘= ‘00000000’

Changes in the file system:

Creates the following files:

  • \apnui.sig”><LS_APPDATA> \ Apnui.sig
  • % APPDATA% \ Ubbifa \ ykud.exe

Network activity:

UDP:

’15 #. # 2,189,137 ‘: 13,987
’98. # # 2.19.14 ‘: 17,675
’99. 3,161,114 # # ‘: 25,897
’65. 3,182,110 # # ‘: 11,716

Other:

Searches for the following windows:

  • ClassName: ‘Indicator’ WindowName: ‘ ‘

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s