ViRobot/HAURI

Trojan.Win32.S.Infostealer.55296
種類
Trojan Horse
危険度/拡散度
/
発見日
[korea] 2014-01-20 [Foreign] 2014-01-20
Virobot対応
-- [Able to detect & repair]

[File]

ko.dll (MD5 : E2B7364425133698236EDE46460D1F27, SIZE : 55,296)

 

A. Main symptoms of infection

It collects computer information and sends collected data to a specific email.

 

B. Analysis information

1) It loads APIs that are necessary to run Malicious code.

 

 

2) It collects computer information(e.g. OS version/Product ID/Host name...) and saves the information to the path(%temp%nls303kr.lex)

 

3) It bypasses firewall.

 

 

4) It tries to connect following mail server and login.


- Domain : mail.india.com
- ID : *********@india.com PW : ****************

 

 

5) It reads nls303kr.lex file and encrypts the inside contents.
The encrypted file is saved in the path(%temp%1.pdf).


 

- Decoding logic

 

6) If it succeeds to login, it sends 1.pdf via email.

 

 

7) It downloads files from Email inbox and run the files, but it doesn't download the files currently.

Path: %temp%kmplayer.exe

 

[How to repair]

Reparable by ViRobot engine ver.2014-02-13 or above.