Type
: Trojan
Category
: Win32
Also known as:
Win32.Chopenoz.G, Win32.Chopenoz.N, Win32.Chopenoz.U, Trojan-Downloader.Win32.CWS.gen (Kaspersky), Troj/Krepper-C (Sophos), Downloader-TB (McAfee)
Immediate Protection Info
Description
The Win32.Chopenoz family of malware are downloading trojans that alter Microsoft Internet Explorer's security settings, and other browser settings.
Back to top
Method of Infection
When executed, Win32.Chopenoz usually copies itself to a sub-folder of the
%System% folder (eg.
%System%\services\exploit.exe) and modifies the registry to ensure that this file is executed each time Windows is started. The following two entries are almost always used for this purpose:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<variable value name
> = "<location of Chopenoz
>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<variable value name
> = "<location of Chopenoz
>"The value <variable value name> is usually made to look like a Windows service. Examples of names currently in use are:
xpsystem
software
MSOffice
golumm
sysinitNote: '%System%' is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top
Payload
Modifies System Settings
Win32.Chopenoz creates the directory %System%\<variable directory>\, and downloads files to this directory from a remote domain. This domain changes between Chopenoz variants.
Filenames usually have the .ini extension as in the examples below:
crontab.ini
keywords.ini
titles.ini
Some variants also drop a DLL.
These downloaded files instruct the trojan which actions to perform. This may include adding or altering registry keys, downloading and executing files, and adding or altering keywords and titles to search for (further details below).
The trojan searches open Internet Explorer Windows against a downloaded list of keywords. If a keyword is found, the user is redirected to a site associated with the match.
The trojan usually stores keywords in the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\Keywords
At the time of writing, the downloaded files instructed Chopenoz variants to perform the following registry alterations:
- Change the user's Internet Explorer Start page:
HKCU\Software\Microsoft\Internet Explorer\Main\Start page = "http://www.coolsearch.biz/ "
- Lower the Internet Explorer security settings:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1201 = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1405 = 0
- Add sites to trusted zones (by adding values to these registry keys):
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
- Allow for the addition of Browser Helper Objects in Internet Explorer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3} = 0
HKCU\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"
Note: This allows the Trojan to register DLLs that it downloads in order to modify Internet Explorer settings.
While specific instructions that Win32.Chopenoz variants are given vary, the basic actions mentioned above are common to all current variants.
Analysis by Paul Taylor
Back to top