Description
Win32/Clagger are a family of trojans that download files onto the affected system as well as terminating security related processes. The trojan has been distributed as an FSG-packed, Win32 executable that is between 5000 and 6000 bytes in length.
Back to top
Payload
Downloads and Executes Arbitrary Files
The trojan's primary function is to download and execute files (including additional malware) from a specific domain that is encrypted in the trojan's code. The domain differs between variants. Variants of this family reported to CA from the wild have used the following domains:
kyee.com
phpwebhosting.com
towarders.com
ukstories.net
toocraft.biz
Files are downloaded to the %Windows% directory using file names contained in the URL. Example file names include:
connect.exe
1.exe
snake.exe
msupdate.exe
91.exe
sev.exe
72.exe
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
At the time of publishing, some of the files known to be downloaded by Clagger are detected as the following trojans by CA antivirus solutions:
- Win32/Uren.J
- Win32/Brospy.AB
- Win32/Sinteri!downloader
- Win32/Perfips.C
After downloading, Clagger runs a batch file that deletes its executable.
Terminates Processes
The trojan terminates the following processes if they are running on the affected system:
firewall.exe
MpfService.exe
zonealarm.exe
NPROTECT.exe
kpf4gui.exe
atguard.exe
tpfw.exe
kpf4ss.exe
zapro.exe
outpost.exe
Modifies System Settings
The trojan adds its executable to the following reigstry entry so that it can be added as an exception to the Windows Firewall.
HKLM\system\currentControlset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
Analysis by Amir Fouda
Back to top