Trojan-Downloader.Win32.Suurch.bwv

Bookmark and Share

 

1. What is the Trojan-Downloader.Win32.Suurch.bwv

Trojan-Downloader.Win32.Suurch.bwv serves as a kind of non-self-replicating Trojan technology that is designed to allow a hacker remote access to a target computer system for your personal or confidential information, such as your ID numbers, VISA card passwords, your email address, your birthday, Full name, driver's license number and genetic Information.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Temp%\csrss.exe
%Temp%\hexdump.exe
%Temp%\iexplarer.exe
%Temp%\nvsvc32.exe
%Temp%\setup.exe
%Temp%\smss.exe
%Temp%\sysedit.exe
%Temp%\system.exe
%Temp%\winlogon.exe
%Windir%\avp.exe
%Windir%\avp32.exe
%Windir%\csrss.exe
%Windir%\drweb.exe
%Windir%\login.exe
%Windir%\nvsvc32.exe
%Windir%\setup.exe
%Windir%\smss.exe
%Windir%\spoolsv.exe
%Windir%\svchost.exe
%Windir%\system.exe
[file and pathname of the sample #1]
%Windir%\taskmgr.exe
%Windir%\user.exe 		21,632 bytes
2 %Temp%\iexplorer.exe 2,112 bytes
3 %Temp%\yawghd72y7huhd.tmp 4 bytes
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

  • There were new processes created in the system:

Process Name Process Filename Allocated Size
[filename of the sample #1 [file and pathname of the sample #1 208,896 bytes
iexplorer.exe %Temp%\iexplorer.exe 53,248 bytes
csrss.exe %Temp%\csrss.exe 208,896 bytes
hexdump.exe %Temp%\hexdump.exe 208,896 bytes
setup.exe %Temp%\setup.exe 208,896 bytes
smss.exe %Temp%\smss.exe 208,896 bytes

c. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • cquxLsYcws\system32\[filename of the sample #1] = "[file and pathname of the sample #1]"
        • XtuUbstpmnbsqnyc settings\%UserName%\local settings\temp\csrss.exe = "%Temp%\csrss.exe"
        • XtuUbstpmnbsqrgd settings\%UserName%\local settings\temp\smss.exe = "%Temp%\smss.exe"
        • XtuUbstpmnbsqotc settings\%UserName%\local settings\temp\hexdump.exe = "%Temp%\hexdump.exe"
        • XtuUbstpmnbsqrvc settings\%UserName%\local settings\temp\setup.exe = "%Temp%\setup.exe"

        so that [file and pathname of the sample #1] runs every time Windows starts
        so that csrss.exe runs every time Windows starts
        so that smss.exe runs every time Windows starts
        so that hexdump.exe runs every time Windows starts
        so that setup.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
        • DisableSR = 0x00000001

        to disable the System Restore tools on the Start menu
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
        • PopupMgr = "yes"
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
        • NoFolderOptions = 0x00000001

        to remove the Folder Options item from all Windows Explorer menus and from Control Panel
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
        • DisableRegistryTools = 0x00000001

        to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • cquxLsYcws\system32\[filename of the sample #1] = "[file and pathname of the sample #1]"
        • XtuUbstpmnbsqnyc settings\%UserName%\local settings\temp\csrss.exe = "%Temp%\csrss.exe"
        • XtuUbstpmnbsqrgd settings\%UserName%\local settings\temp\smss.exe = "%Temp%\smss.exe"
        • XtuUbstpmnbsqotc settings\%UserName%\local settings\temp\hexdump.exe = "%Temp%\hexdump.exe"
        • XtuUbstpmnbsqrvc settings\%UserName%\local settings\temp\setup.exe = "%Temp%\setup.exe"

        so that [file and pathname of the sample #1] runs every time Windows starts
        so that csrss.exe runs every time Windows starts
        so that smss.exe runs every time Windows starts
        so that hexdump.exe runs every time Windows starts
        so that setup.exe runs every time Windows starts

    d. Other details

    • The following port was open in the system:
    Port Protocol Process
    1058 TCP [file and pathname of the sample #1]

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    208.94.234.66 80
    64.120.218.244 80
    85.17.239.44 80

    • The data identified by the following URLs was then requested from the remote web server:

      • http://fixesmanual.info/wp-content/themes/blocked-10/style.css
      • http://fixesmanual.info/wp-content/themes/blocked-10/pic/bodybg.gif
      • http://personalift.com/search/search.php?track=el&qq=how+to+write+news+release
      • http://nupilo.com/rz/mn.php?ver=H1
      • http://nupilo.com/rz/report.php

     

    3. How-to's

    a. How to prevent the  Trojan-Downloader.Win32.Suurch.bwv ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Downloader.Win32.Suurch.bwv   Manually?

    Trojan-Downloader.Win32.Suurch.bwv cannot be removed manually. If your computer is suffering Trojan-Downloader.Win32.Suurch.bwv, we sincerely suggest you remove Trojan-Downloader.Win32.Suurch.bwv with an advanced tool.

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•