How to Prevent and Remove the
Trojan-Dropper.Win32.FrauDrop.buw
|
| # | Filename(s) | File Size |
| 1 | %CommonAppData%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 | 47 bytes |
| 2 | %System%\drivers\tbesostrq.sys | 754,688 bytes |
| 3 | [file and pathname of the sample #1] | 26,112 bytes |
| 4 | %Windir%\Temp\110beecdb3dc0251a044f2d0.tmp | 71,186 bytes |
| 5 | %Windir%\Temp\Temporary
Internet Files\Content.IE5\0P23S5UJ\desktop.ini %Windir%\Temp\Temporary Internet Files\Content.IE5\8PYFO9UB\desktop.ini %Windir%\Temp\Temporary Internet Files\Content.IE5\desktop.ini %Windir%\Temp\Temporary Internet Files\Content.IE5\GPIB096R\desktop.ini %Windir%\Temp\Temporary Internet Files\Content.IE5\SDQBCHM7\desktop.ini |
67 bytes |
| 6 | %Windir%\Temp\Temporary Internet Files\Content.IE5\index.dat | 32,768 bytes |
- Notes:
- %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- The following directories were created:
- %Windir%\Temp\Cookies
- %Windir%\Temp\History
- %Windir%\Temp\History\History.IE5
- %Windir%\Temp\Temporary Internet Files
- %Windir%\Temp\Temporary Internet Files\Content.IE5
- %Windir%\Temp\Temporary Internet Files\Content.IE5\0P23S5UJ
- %Windir%\Temp\Temporary Internet Files\Content.IE5\8PYFO9UB
- %Windir%\Temp\Temporary Internet Files\Content.IE5\GPIB096R
- %Windir%\Temp\Temporary Internet Files\Content.IE5\SDQBCHM7
b. Memory Modifications
-
There was a new process created in the system:
| Process Name | Process Filename | Main Module Size |
| autofmtpl.exe | %System%\autofmtpl.exe | 49,152 bytes |
| autoplayfi.exe | %System%\autoplayfi.exe | 118,784 bytes |
| autochkju.exe | %System%\autochkju.exe | 86,016 bytes |
| [filename of the sample #1] | [file and pathname of the sample #1] | 24,576 bytes |
c. Registry Modifications
-
The following Registry Value was modified:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TBESOSTRQ
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TBESOSTRQ\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tbesostrq
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TBESOSTRQ
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TBESOSTRQ\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tbesostrq
- The newly created Registry Values are:
-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network]
- mfnnlyhwadpjha = 94 7A 9E 77 99 8D 13 E3 83 14 C8 A1 5B 16 51 5B 2A A8 23 43 D7 72 5E B9 26 2B 74 28 CD 0F 96 58 EF E4 2D 42 B1 C1 AC E7 D9 B4 2D 6E 0A 8D F1 EB 2D 52 CB 30 68 77 E4 EE AC 83 E2 84 6A 71 CC 77 5F 2A CC C3 9B CE C5 18 AB 38 5E DF DF DA 52 76 C5 E7 E3 4
-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TBESOSTRQ\0000]
- Service = "tbesostrq"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "tbesostrq"
- Capabilities = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TBESOSTRQ]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tbesostrq]
- qymkhs = 0x16654513
- Type = 0x00000001
- Start = 0x00000000
- ErrorControl = 0x00000000
- Group = "Boot Bus Extender"
- gvvNc = 44 00 44 65 AC CA 60 F3
- q5ib0qE3 = 1B A2 69 5C F0 D9 C4 4F 39 EA 99 A0 15 66 53 C2 84 50 D6 2F 3B 5C F7 6F 23 AA 38 68 67 27 26 BE 53 1B 6E 83 F8 12 81 90 A3 6E 31 D7 51 5A BD 52 10 4C C9 E9 B0 B0 A1 BB F5 B4 8B 63 08 53 B5 3D A6 03 79 F0 70 1B 40 04 A2 46 06 3B D6 71 CE 3A 7B 73 6D 4
- as8xy2 = 03 33 35 21
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TBESOSTRQ\0000]
- Service = "tbesostrq"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "tbesostrq"
- Capabilities = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TBESOSTRQ]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tbesostrq]
- qymkhs = 0x16654513
- Type = 0x00000001
- Start = 0x00000000
- ErrorControl = 0x00000000
- Group = "Boot Bus Extender"
- gvvNc = 44 00 44 65 AC CA 60 F3
- q5ib0qE3 = 1B A2 69 5C F0 D9 C4 4F 39 EA 99 A0 15 66 53 C2 84 50 D6 2F 3B 5C F7 6F 23 AA 38 68 67 27 26 BE 53 1B 6E 83 F8 12 81 90 A3 6E 31 D7 51 5A BD 52 10 4C C9 E9 B0 B0 A1 BB F5 B4 8B 63 08 53 B5 3D A6 03 79 F0 70 1B 40 04 A2 46 06 3B D6 71 CE 3A 7B 73 6D 4
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
- ProxyEnable = 0x00000000
-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network]
d. Other details
-
There were registered attempts to establish connection with the remote hosts. The connection details are:
| Remote Host | Port Number |
| 195.2.252.247 | 80 |
| 204.45.118.202 | 80 |
| 69.197.158.250 | 80 |
-
The data identified by the following URLs was then requested from the remote web server:
- http://aebrook.com/timuo/ultamgbih.php?adv=adv600
- http://aebrook.com/timuo/iztbjhowu.php?adv=adv600
- http://aebrook.com/timuo/sjnlgn.php?adv=adv600
- http://aebrook.com/timuo/zptfzubjhp.php?adv=adv600&code1=KNOC&code2=6104&id=13441600&p=1&b=1
- http://aebrook.com/timuo/ocwrykrz.php?id=13441600&p=1
- http://204.45.118.202/23/lok
- http://204.45.118.202/23/iok
- http://204.45.118.202/23/run
- http://204.45.118.202/23/aok
- http://204.45.118.202/23/exc
- http://69.197.158.250/jwyydjnmbne.rar
3. How-to's
a. How to prevent the Trojan-Dropper.Win32.FrauDrop.buw ?
Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Dropper.Win32.FrauDrop.buw Manually?
1. Remove the registry entries hidden by
Trojan-Dropper.Win32.FrauDrop.bj.
The followings are registry entries that may have been modified
by Trojan-Dropper.Win32.FrauDrop.bj.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Explorer\ShellFolders Startup="C:\windows\start
menu\programs\startup
2. Remove all the files associated with
Trojan-Dropper.Win32.FrauDrop.bj.
The followings are folders where
Trojan-Dropper.Win32.FrauDrop.bj related files may locate:
C:\Documents and Settings
C:\WINDOWS\
C:\Documents and Settings\All Users\Application Data\
c. How to Remove these trojans Instantly?
Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
4. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm