Win64/Asterope [Threat Name] go to Threat

Win64/Asterope.A [Threat Variant Name]

Category trojan
Size 134656 B
Detection created Sep 15, 2014
Detection database version 10421
Aliases Trojan.Win32.Agent.alvxa (Kaspersky)
  Trojan:Win64/Ropest.G (Microsoft)
  Trojan.Horse (Symantec)
Short description

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan searches for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %system%

It avoids files which contain any of the following strings in their path:

  • calc.exe
  • cmd.exe
  • freecell.exe
  • install
  • ping.exe
  • route.exe
  • setup
  • setup.exe
  • taskmgr.exe
  • telnet.exe
  • update

When the trojan finds a file matching the search criteria, it creates a new copy of itself.


The trojan copies itself to the following location:

  • %appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe

The file name and extension of the newly created file is derived from the original one.


The trojan creates the following file:

  • %startup%\­%selectedfilename%.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Run" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Command Processor]
    • "AutoRun" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Control Panel\­Desktop]
    • "SCRNSAVE.EXE" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Run" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Command Processor]
    • "AutoRun" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Control Panel\­Desktop]
    • "SCRNSAVE.EXE" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­%selectedfilename%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "{A8A88C49-5EB2-4990-A1A2-0876022C854F}" = %binary%
    • "{AEBA21FA-782A-4A90-978D-B72164C80120}" = %binary%
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
    • "Display Inline Images" = "yes"
    • "DisableScriptDebuggerIE" = "yes"
    • "Disable Script Debugger" = "yes"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer]
    • "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer\­AdvancedOptions\­MULTIMEDIA\­PICTS]
    • "CheckedValue" = "yes"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%malwarefilename%" = %variable1%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_GPU_RENDERING]
    • "%malwarefilename%" = 1

A string with variable content is used instead of %variable1% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version
  • Internet Explorer version
  • CPU information
  • memory status
  • malware version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine. The UDP, HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It uses its own P2P network for communication.


The trojan contains a list of (516) IP addresses. The UDP, TCP, HTTP protocol is used.


It can execute the following operations:

  • simulate user's input (clicks, taps)
  • update itself to a newer version
  • create Registry entries
  • download files from a remote computer and/or the Internet
  • run executable files

The trojan opens UDP port 48754 . The trojan opens TCP port 48754 .


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Discardable\­PostSetup\­Component Categories\­%variable1%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Discardable\­PostSetup\­Component Categories\­%variable1%\­Enum]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Outlook Express\­5.0\­Shared Settings\­Setup\­%variable2%]

The trojan keeps various information in the following files:

  • %systemdrive%\­Recycler\­%variable3%\­$ast-%variable3%\­%variable4%.dat
  • %systemdrive%\­$Recycle.bin\­%variable3%\­$ast-%variable3%\­%variable4%.dat
  • %systemdrive%\­RECYCLED\­$ast-%variable3%\­%variable4%.dat
  • %systemdrive%\­$RECYCLE.BIN\­$ast-%variable3%\­%variable4%.dat

A string with variable content is used instead of %variable1-4% .


The trojan hooks the following Windows APIs:

  • ZwQueryInformationProcess (ntdll.dll)
  • ZwResumeThread (ntdll.dll)
  • InternetSetStatusCallbackA (wininet.dll)
  • DialogBoxIndirectParamAorW (user32.dll)
  • GetCursorPos (user32.dll)
  • waveOutWrite (winmm.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.