Method of Infection
When executed, Satiloler.A checks that it is not running as either "lsass.exe" or "userinit.exe". If so, it assumes it is executing for the first time and performs the following actions:
It copies the original Windows system file "userinit.exe" from %System%\userinit.exe to %Windows%\system\userinit.exe.
It disables Windows File Protection by patching %System%\sfc_os.dll and creating these registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = 0xFFFFFF9D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = 0x0000
The trojan then copies itself to %System%\userinit.exe and %Program Files Common%\System\lsass.exe, and sets the following registry value to ensure it runs at each Windows start:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System = "%Program Files Common%\System\lsass.exe"
It also examines the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and if any values inside the key contain "PROGRAM", "CTFMON" or "NVSTARTUP" in their names, the trojan attempts to set the values to blank. Satiloler.A also sets the value of the following registry entry to 'NULL':
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
It modifies the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = ""
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\App_Init_DLLs = ""
Additionally, the trojan drops %System%\xvid.dll.
Satiloler creates the mutex "_Toolbar_Class_32". If, on execution, the trojan finds the mutex has already been created, it assumes it is a second copy running on the machine. It performs its usual installation, but also monitors the file size of %System%\userinit.exe. If the file size is changing, the trojan performs several additional processing steps before performing the installation steps listed above.
It kills any processes if their names contain the following and if they are running with a specified security identifier:
USERINIT.EXE
CTFMON.EXE
LSASS.EXE
The trojan also looks in
%System%\dllcache and
%Windows%\System for the file "
userinit.exe". If found, it copies the file to the %System% directory.
Lastly, the trojan attempts to delete %Windows%\System\userinit.exe and %Windows%\System\ctfmon.exe and creates a registry entry at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "%System%\ctfmon.exe"
Notes:
-'%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
-%Program Files Common% is a variable location and refers to the folder that contains components shared across applications. This is only valid for NT-based operating systems. The malware determines the location of the current Program Files Common folder by querying the operating system. A typical location for this folder would be C:\Program Files\Common.
Back to top
Payload
Backdoor Functionality
Satiloler.A contains backdoor functionality that allows unauthorized access to an affected machine. The trojan loads "xvid.dll" and calls a function to hide its process from the Task Manager. It starts a thread to shutdown McAfee antivirus if running on the affected machine. It also starts a thread to prevent Windows from displaying warning dialogs about system files being changed. The trojan then opens a backdoor on a random port higher than 1025. Once connection is established, the trojan receives the address of a second port to open.
The trojan contacts the domain fiv.bestswf.com and runs a PHP script, supplying the server with system information it has collected from the affected machine. It saves the result to %System%\xvid.ini.
On systems other than Windows ME/98/95, the trojan may attempt to capture Hotmail and POP3 e-mail account information, such as passwords and usernames, from the registry. It also tries to find other sensitive system information that may be stored on the affected machine, for example:
- MSN Explorer sign-up
- Internet Explorer: password-protected sites
- Internet Explorer auto complete fields
- Auto complete passwords
The trojan saves any captured information to %System%\divx.ini.
Satiloler.A may set the following values to blank data:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
and attempt to delete C:\boot.ini.
Satiloler.A appears to expect directives from %System%\xvid.ini, and based on the contents of this file, may:
- Kill specified running processes and delete certain keys from the registry
- Log all currently running processes to %System%\divx.ini
- Back-up the current registry
- Delete the back-up registry files after logging length to %System%\divx.ini
- Contact a specified website and save the returned HTTP data to a temporary file with an ".exe" extension. It then attempts to start this process. After starting the process, it creates the following registry entry:
HKCU\Software\ver = "<version>"
where <version> is the "version" setting specified by "xvid.ini"
- Log information to a particular website
Once it has completed its activities, the trojan may 'sleep' for a certain number of minutes (the default being 14) before executing the payload again.
Modifies Security Settings
Satiloler.A modifies the Windows Firewall settings to add itself as an authorized application:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\userinit.exe = "%System%\userinit.exe:*:Enabled:Userinit"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files Common%\System\lsass.exe = "%Program Files Common%\System\lsass.exe:*:Enabled:LSASS"
This effectively allows the trojan to bypass the firewall.
Analysis by Jonathan Thomas
Back to top