Win32/Chinoxy [Threat Name] go to Threat
Win32/Chinoxy.E [Threat Variant Name]
| Category | trojan |
| Size | 106496 B |
| Aliases | Trojan.Win32.Chinoxy.a (Kaspersky) |
| BackDoor.Dklkt.3 (Dr.Web) |
Short description
Win32/Chinoxy.E is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan creates the following files:
- %temp%\wumsvc1.cc3
- %temp%\NetInst.exe
- %temp%\server.dll
- %temp%\ndispacket.sys
- %temp%\ndispacket.inf
- %windir%\Inf\ndispacket.inf
The trojan registers itself as a system service using the following name:
- Desktop Agent
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nwsapagent]
- "Config" = "a2lzc3Uud2FpaGFoYS5jb206NDQzfDo4MHw6ODB8fGh0dHA6Ly9ibG9nLnNpbmEuY29tLmNuL3MvYmxvZ19lOTdmYmY2YjAxMDFxMGMwLmh0bWw"
- "Description" = "NetMeeting Remote Desktop Agent"
- "DisplayName" = "Desktop Agent"
- "DllName" = "server.dll"
- "ErrorControl" = 1
- "Group" = "GG"
- "ImagePath" = "%systemroot%\System32\svchost.exe -k netsvcs"
- "ObjectName" = "LocalSystem"
- "PassWord" = "123"
- "Remark" = ""
- "Start" = 2
- "Type" = 272
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nwsapagent\Parameters]
- "ServiceDll" = "%temp%\service.dll"
- "ServiceMain" = "%variable%"
A string with variable content is used instead of %variable% .
After the installation is complete, the trojan deletes the original executable file.
The following files are deleted:
- %temp%\wumsvc1.cc3
Information stealing
The trojan collects the following information:
- computer name
- user name
- CPU information
- information about the operating system and system settings
- installed Microsoft Windows patches
- memory status
- computer IP address
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (4) URLs. The HTTP, TCP protocol is used in the communication.