Win32/Skintrim [Threat Name] go to Threat

Win32/Skintrim.GH [Threat Variant Name]

Category trojan
Size 618496 B
Aliases Packed.Win32.Hrup.b (Kaspersky)
  TrojanDownloader:.Win32/Wintrim.BH (Microsoft)
  Skintrim.gen.c.trojan (McAfee)
Short description

Win32/Skintrim.GH is a trojan used for delivery of unsolicited advertisements.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilenamewithoutextension%" = ""%malwarefilepath%" %malwarefilenamewithoutextension%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilenamewithoutextension%" = ""%malwarefilepath%" %malwarefilenamewithoutextension%"

The trojan may create the following files:

  • %system%\­%malwarefilenamewithoutextension%_nav.dat
  • %system%\­%malwarefilenamewithoutextension%_navps.dat
  • %system%\­%malwarefilenamewithoutextension%_navup.dat
  • %system%\­%malwarefilenamewithoutextension%_navtmp.dat
  • %currentfolder%\­%malwarefilenamewithoutextension%.dat
  • %currentfolder%\­%malwarefilenamewithoutextension%_m2s.xml
  • %currentfolder%\­%malwarefilenamewithoutextension%_s2m.xml
  • %currentfolder%%malwarefilenamewithoutextension%_m2s.zl
  • %currentfolder%\­%malwarefilenamewithoutextension%_s2m.zl
Information stealing

The trojan collects the following information:

  • network adapter information
  • type of Internet connection
  • operating system version
  • Internet Explorer version
  • antivirus software detected on the affected machine

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan program is designed to deliver various advertisements to the user's systems.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­%malwarefilenamewithoutextension%]
    • "DisplayName" = "Favorit"
    • "UninstallString" = "%malwarefilepath% -uninstall"
    • "NoRemove" = 0
    • "NoModify" = 1
    • "NoRepair" = 1
    • "DisplayIcon" = "%data%"
    • "Comments" = "%data%"
    • "Contact" = "%data%"
    • "DisplayVersion" = "%data%"
    • "HelpLink" = "%data%"
    • "HelpTelephone" = "%data%"
    • "InstallDate" = "%data%"
    • "InstallLocation" = "%data%"
    • "ModifyPath" = "%data%"
    • "Publisher" = "%data%"
    • "Readme" = "%data%"
    • "URLInfoAbout" = "%data%"
    • "URLUpdateInfo" = "%data%"
  • [HKEY_CURRENT_USER\­Software\­mc]
    • "NaviDebugFile" = "%data%"
    • "navicountry" = "%data%"
    • "navtime" = "%data%"
    • "dv2" = "%data%"
    • "mode" = "dev"
  • [HKEY_CURRENT_USER\­Software\­fcn]
    • "gid" = "252"
    • "cnid" = "%variable%"
    • "did" = "%data%"
    • "idt" = "%data%"

A string with variable content is used instead of %variable% .


The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe
  • firefox.exe

The trojan hooks the following Windows APIs:

  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • closesocket (ws2_32.dll)

The trojan is able to update itself or execute an arbitrary file.


The trojan contains a list of (7) URLs. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.