Win32/Olmarik [Threat Name] go to Threat

Win32/Olmarik.AYY [Threat Variant Name]

Category trojan
Size 246272 B
Detection created Apr 10, 2013
Detection database version 8212
Aliases Trojan-Dropper.Win32.TDSS.axai (Kaspersky)
  BackDoor.Tdss.9693 (Dr.Web)
  Trojan:Win32/Alureon.GD (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits. The trojan contains both 32-bit and 64-bit program components.

Installation

The trojan replaces the Master Boot Record with its own code that will gain control of the compromised computer when it restarts.


The trojan writes its own data to the end of the physical drive.


The trojan may create copies of itself using the following filenames:

  • %temp%\­%variable%.tmp
  • %temp%\­%variable%.tmp.dat
  • %temp%\­%variable%.dat
  • %profile%\­AppData\­LocalLow\­ncrypt.dll
  • %profile%\­AppData\­LocalLow\­%variable%.tmp
  • %windir%\­system32\­sysprep\­cryptbase.dll
  • %windir%\­system32\­sysprep\­syssetup.dll

A string with variable content is used instead of %variable% .


The trojan may create the following files:

  • %profile%\­AppData\­LocalLow\­install_flashplayer.exe

The file is then executed.


The trojan may install the following system drivers (path, name): %temp%\%variable%.tmp, %variable%


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%variable%]
    • "ImagePath" = "\­??\­%temp%\­%variable%.tmp"
    • "Type" = 1

The trojan may execute the following commands:

  • %windir%\­system32\­runlegacycplelevated.exe shell32.dll,Control_RunDLL %temp%\­%variable%.tmp
  • %windir%\­syswow64\­runlegacycplelevated.exe shell32.dll,Control_RunDLL %temp%\­%variable%.tmp

Trojan starts service Print Spooler .


The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe -k netsvcs

The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe
  • sysprep.exe
  • runlegacycplelevated.exe
  • install_flashplayer.exe

Trojan is able to bypass User Account Control (UAC).


The trojan may display the following dialog windows:

The trojan may perform operating system restart.

Information stealing

The trojan collects the following information:

  • operating system version
  • language settings
  • country
  • default Internet browser
  • list of running processes

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan is able to update itself or execute an arbitrary file.


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan hooks the following Windows APIs:

  • CoCreateInstance (ole32.dll)
  • CoGetClassObject (ole32.dll)
  • DialogBoxIndirectParamW (user32.dll)
  • DialogBoxParamW (user32.dll)
  • DirectSoundCreate (dsound.dll)
  • GetAddrInfoW (ws2_32.dll)
  • MessageBoxW (user32.dll)
  • MessageBoxIndirectW (user32.dll)
  • waveOutOpen (winmm.dll)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoNewWindows" = 1
    • "Error Dlg Displayed On Every Error" = "no"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%currentprocessfilename%" = 8888
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "MaxHttPredirects" = 8888
    • "EnableHttp1_1" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "CurrentLevel" = 0
    • "1400" = 0
    • "1601" = 0
    • "1803" = 3

Please enable Javascript to ensure correct displaying of this content and refresh this page.