Win32/Pinit [Threat Name] go to Threat

Win32/Pinit.BJ [Threat Variant Name]

Category trojan,worm
Size 244224 B
Detection created Sep 09, 2011
Detection database version 6451
Aliases Trojan:Win32/Malagent (Microsoft)
  W32/Sirefef.b (McAfee)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­k64%random1%.exe

This copy of the trojan is then executed.


The trojan creates the following files:

  • %apdata%\­Help\­comm.till
  • %apdata%\­Help\­ceptr.till

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "KeApplet" = "%temp%\­ke64%random1%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­System\­Core2\­1]
    • "Key" = 13243568
    • "LogLevel" = 250
    • "Path" = "%appdata%\­Help\­comm.tll"
  • [HKEY_CURRENT_USER\­System\­Core2\­2]
    • "Key" = 13243568
    • "LogLevel" = 250
    • "Path" = %appdata%\­Help\­ceptr.tll
  • [HKEU_CURRENT_USER\­System\­Core2Inner]
  • [HKCU\­Software\­Microsoft\­windows\­CurrentVersion\­Internet Settings]
    • "MaxConnectionsPer1_0Server" = 100
    • "MaxconnectionsPerServer" = 100

After the installation is complete, the trojan deletes the original executable file.


The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • opera.exe
  • sol.exe

A string with variable content is used instead of %random1% .

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • user name
  • computer name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (11) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • set up a proxy server
  • send gathered information

The trojan may create the following files:

  • %temp%\­%random2%.m.log
  • %temp%\­Low%random3%.m.log
  • %temp%\­comm%random4%.tmp
  • %temp%\­comm%random4%.tmp.exe

A string with variable content is used instead of %random2-4% .


The trojan hooks the following Windows APIs:

  • connect (ws2_32.dll)
  • getpeername (ws2_32.dll)
  • closesocket (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.