Win32/Skintrim [Threat Name] go to Threat

Win32/Skintrim.CC [Threat Variant Name]

Category trojan
Size 949284 B
Aliases Trojan-Downloader.Win32.Lipler.axkd (Kaspersky)
  TrojanDownloader:Win32/Wintrim.BX (Microsoft)
  LivePlayer (Symantec)
Short description

Win32/Skintrim.CC is a trojan that installs Win32/Skintrim.GH malware.

Installation

The trojan is usually bundled within installation packages of various legitimate software.


The trojan displays the following dialog boxes:

The trojan creates the following files:

  • %temp%\­%variable%.tmp\­modern-header.bmp (25820 B)
  • %temp%\­%variable%.tmp\­modern-wizard.bmp (154544 B)
  • %temp%\­%variable%.tmp\­nsDialogs.dll (8704 B)
  • %temp%\­%variable%.tmp\­System.dll (10752 B)
  • %temp%\­%variable%.tmp\­header_LP.bmp (85098 B)
  • %temp%\­%variable%.tmp\­FavoritDE.rtf (23917 B)
  • %temp%\­%variable%.tmp\­FavoritEN.rtf (19395 B)
  • %temp%\­%variable%.tmp\­FavoritES.rtf (21742 B)
  • %temp%\­%variable%.tmp\­FavoritFR.rtf (23968  B)
  • %temp%\­%variable%.tmp\­FavoritIT.rtf (22431  B)
  • %temp%\­%variable%.tmp\­NSISdl.dll (14848 B)
  • %temp%\­%variable%.tmp\­ExtractDLL.dll (9728 B)
  • %temp%\­%variable%.tmp\­FindProcDLL.dll (3584 B)
  • %temp%\­%variable%.tmp\­searchsolverlogo_FR.bmp (268614 B)
  • %temp%\­%variable%.tmp\­searchsolverlogo_EN.bmp (268614 B)
  • %temp%\­%variable%.tmp\­searchsolverlogo_DE.bmp (268614 B)
  • %temp%\­%variable%.tmp\­searchsolverlogo_ES.bmp (268614 B)
  • %temp%\­%variable%.tmp\­searchsolverlogo_IT.bmp (268614 B)
  • %programfiles%\­Live-Player\­data\­translation_file_live-player.xml (22979 B)
  • %programfiles%\­Live-Player\­data\­flv.swf (55077 B)
  • %programfiles%\­Live-Player\­img\­nologo.png (5797 B)
  • %programfiles%\­Live-Player\­uninst.exe (93857 B)
  • %allusersdesktop%\­Live-Player.lnk (718 B)
  • %mozillafirefoxprofilepath%\­searchplugins\­Search Solver.xml (1868 B)
  • %commonstartmenu%\­Programs\­Live-Player\­Live-Player.lnk (551 B)
  • %commonstartmenu%\­Programs\­Live-Player\­Privacy Policy.url (64 B)
  • %commonstartmenu%\­Programs\­Live-Player\­Terms and Conditions.url (62 B)
  • %commonstartmenu%\­Programs\­Live-Player\­Uninstall.lnk (527 B)
  • %commonstartmenu%\­Programs\­Live-Player\­Website.url (53 B)

A string with variable content is used instead of %variable% .


The trojan contains a list of (7) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %localappdata%\­%variable%.exe (Win32/Skintrim.GH)
  • %temp%\­db.dat
  • %temp%\­skin_dll.dat
  • %temp%\­sqlite_dll.dat
  • %temp%\­liveplayer_exe.dat
  • %temp%\­liveplayer_skin.dat
  • %temp%\­vcredist_x86.dat
  • %programfiles%\­Live-Player\­%variable%

The HTTP protocol is used.


The trojan executes the following commands:

  • %localappdata%\­%variable%.exe INSTALL:|||%number%|1
  • %programfiles%\­Live-Player\­%variable%

The trojan may create copies of the following files (source, destination):

  • %temp%\­liveplayer_exe.dat, %programfiles%\­Live-Player\­live-player.exe
  • %temp%\­sqlite_dll.dat, %programfiles%\­Live-Player\­sqlite3.dll
  • %temp%\­liveplayer_skin.dat, %programfiles%\­Live-Player\­skins\­live-player.skf
  • %temp%\­db.dat, %programfiles%\­Live-Player\­data\­liveplayer.s3db
  • %temp%\­skin_dll.dat, %programfiles%\­Live-Player\­SkinCrafterDll.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­Live-Player]
    • "DisplayName" = "Live-Player"
    • "UninstallString" = "%liveplayerrootfolder%\­uninst.exe"
    • "UninstallString2" = "%liveplayerrootfolder%\­uninst.exe /S"
    • "DisplayIcon" = "%liveplayerrootfolder%\­Live-Player.exe"
    • "DisplayVersion" = "2.0"
    • "URLInfoAbout" = "http://www.Live-player.com/"
    • "Publisher" = "Favorit Network S.L."
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Live-Player]
    • "(Default)" = "%liveplayerrootfolder%"
    • "ApplicationVersionInstall" = "2001"
    • "DBVersion" = "1001"
    • "dl_browser" = "IE"
    • "dl_hp_url" = "http://www.search-solver.com/?t=Q%variable%&s=h"
    • "dl_lg" = "1033"
    • "dl_se_name" = "Search Solver"
    • "dl_se_url" = "http://www.search-solver.com/result.php?t=Q%variable%&s=b&keywords={searchTerms}"
    • "dl_se_icon" = "http://www.search-solver.com/favicon.ico"
    • "grpid" = "490"
    • "installdt" = "%variable%"
    • "Language" = "EN"
    • "sp_id" = "1"
  • [HKEY_CURRENT_USER\­Software\­Live-Player]
    • "(Default)" = "%liveplayerrootfolder%\­Live-Player"
    • "_status" = "ok"
    • "ApplicationVersionInstall" = "2001"
    • "DBVersion" = "1001"
    • "dl_browser" = "IE"
    • "dl_hp_url" = "http://www.search-solver.com/?t=Q%variable%&s=h"
    • "dl_se_name" = "Search Solver"
    • "dl_se_url" = "http://www.search-solver.com/result.php?t=Q%variable%&s=b&keywords={searchTerms}"
    • "dl_se_icon" = "http://www.search-solver.com/favicon.ico"
    • "grpid" = "490"
    • "installdt" = "%variable%"
    • "Language" = "EN"
Other information

The trojan may delete files stored in the following folders:

  • %temp%\­%variable%.tmp\­

The trojan affects the behavior of the following applications:

  • Microsoft Internet Explorer
  • Mozilla Firefox

Please enable Javascript to ensure correct displaying of this content and refresh this page.