Method of Infection
When executed, Win32/Eldycow variants attempt to turn off Windows File Protection in order to create the following malicious files:
%System%\drivers\beep.sys
%System%\dllcache\beep.sys
The system is then made to reboot, enabling "beep.sys" to execute on system start.
On reboot, Win32/Eldycow creates the following files
%Windows%\medichi.exe
%Windows%\medichi2.exe
%Windows%\murka.dat
%System%\user32.dat
Some variants may also infect files. For example, Win32/Eldycow.P infects any .exe files listed under the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The trojan then patches the listed .exe files which allows "user32.dat" to execute on system startup.
Win32/Eldycow variants modify the following registry entries to execute themselves on system load:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Medichi = "medichi.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Medichi2 = "medichi2.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "murka.dat"
Note: %System% and %Windows% are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.
Back to top
Payload
Terminates Processes
Win32/Eldycow variants terminate the following processes if they are running on the system:
!update.exe
180ax.exe
180sa.exe
1clickspyclean.exe
a.exe
a2antidialer.exe
a2pr.exe
aaupdt.exe
aawservice.exe
aceclubcasino.exe
acefilesearch.exe
aceziprun.exe
actalert.exe
activenetworkmonitor.exe
adaware.exe
adaway.exe
adgold.exe
admagic.exe
ad-purgedemo.exe
adsalert.exe
adscleaner.exe
adwarebazooka.exe
adwaredeluxe.exe
adwarepatrol.exe
adwarepunisher.exe
adwarespy4.exe
adwin.exe
agentspyware.exe
agseiapp.exe
aguarddogsuitent.exe
akl.exe
akv.exe
alchem.exe
alertspy.exe
alevir.exe
alfacleaner.exe
alhlp.exe
alogcfg.exe
alsys.exe, answers.exe
antispam.exe
antispysoldier.exe
antivirusgolden.exe
apc_admin.exe
app.exe
aps.exe
armor2net.exe
as100.exe
ashdisp.exe
ashmaisv.exe
ashserv.exe
ashwebsv.exe
aso.exe
aswupdsv.exe
atlantis.exe
atmclk.exe
autoupdaterun.exe
avgagent.exe
avgemc.exe
avkbar.exe
avp.exe
avpcc.exe
avpm.exe
avsched32.exe
avz.exe
baigoo.exe
bargains.exe
barman.exe
bazookabar.exe
bbchk.exe
bdmcon.exe
bdss.exe
bearshare.exe
beta.exe
beyondremotefull.exe
bfk.exe
block-checker.exe
bpk.exe
bpsdatashredder.exe
bpspopupshld.exe
bravesentry.exe
cavrid.exe
cavtray.exe
ccapp.exe
ccevtmgr.exe
ccimscan.exe
cclaw.exe
cclgview.exe
ccpxysvc.exe
cfgwiz.exe
clamservice.exe
combofix.exe
comboxfix.exe
cpd.exe
cpf.exe
crypserv.exe
cureit.exe
dfw.exe
dllhost32.exe
dsentry.exe
ebatesmoemoneymaker.exe
edonkey2000.exe
eitcwd.exe
ers.exe
escorcher.exe
etdscanner.exe
ethscout.exe
etmp.exe
eww.exe
eyetidecontroller.exe
farsighter.exe
fatbuster.exe
fdd.exe
ferret.exe
fie5344.exe
firewalker.exe
flobospywareclean.exe
forbesalerts.exe
fpavupdm.exe
freedom.exe
freeprodtb.exe
froggiescandemo.exe
fs30.exe
fsav32.exe
fsbl.exe
f-sched.exe
fsdfwd.exe
fservice.exe
fsm32.exe
f-stopw.exe
ftviewer.exe
fvprotect.exe
fwnet64.exe
gcasdtserv.exe
gcasserv.exe
geowhere.2.61.lite.exe
gestionnaireantidote.exe
getbymail.exe
givemetoo.exe
gnucleus.exe
goodbyespy.exe
grabburn.exe
guard.exe
gv.exe
hackmon.exe
hbtoeaddon.exe
hidownload.exe
hijackthis.exe
hijackthis_v2.exe
hitvirus.exe
hwpe2.exe
iao.exe
icmon.exe
iewatch20.exe
inetupd.exe
install.exe
internetspy.exe
intrakey.exe
irsetup.exe
isafe.exe |
isamini.exe
isamonitor.exe
isass.exe
isclean.exe
ishost.exe
ismini.exe
isnotify.exe
issearch.exe
issvc.exe
itbill.exe
itunesmusic.exe
iwnvod.exe
jimmysurf.exe
justremoteitserver.exe
kav.exe
kavss.exe
kavsvc.exe
keylogger.exe
keylover21.exe
killandclean.exe
klpf.exe
klswd.exe
kpf4ss.exe
little_helper2.exe
livesrv.exe
loggerconfigurator.exe
lsasrv.exe
lsass32.exe
magiclink.exe
magplayer.exe
mailskinner.exe
main.exe
mainwnd.exe
malscr.exe
malswep.exe
malwaredestroyer.exe
malwhere.exe
mathchk.exe
mcagent.exe
mcshield.exe
mctskshd.exe
memorywatcher.exe
mns.exe
mobmasher.exe
moni.exe
monifree.exe
mp3galaxy.exe
mppoker.exe
mscornet.exe
msecag.exe
msgsys.exe
mshutdown.exe
msls32.exe
msnsniffer.exe
mssearchnet.exe
msssrv.exe
multipl.exe
mwsoemon.exe
myvideodaily2.exe
navapp.exe
navstub.exe
navw32.exe
netctl.exe
netpumperieproxy.exe
netzip.exe
nisum.exe
njexplor.exe
nlsupervisorpro.exe
no32mon.exe
nod32krn.exe
nod32ra.exe
nortonupdate.exe
nsmdtr.exe
nstask32.exe
nvctrl.exe
oemjishare.exe
ofcdog.exe
optimize.exe
outpost.exe
overseer.exe
overspy.exe
p2pnetworking.exe
pavfnsvr.exe
pbcpl.exe
pboptions.exe
pcacmes.exe
pcagent.exe
pcbusted.exe
pcorion.exe
pcps.exe
pcscanner.exe
pcsmokinggun2.exe
pctptt.exe
pcwatch.exe
penguinpanic.exe
personalmoneytree.exe
pesttrap.exe
pestwiper.exe
picx.exe
pkviewer.exe
plook.exe
pmmon.exe
pmsngr.exe
pmuninst.exe
powerscan.exe
ppmemcheck.exe
ppsys.exe
ppv5.exe
precisiontime.exe
prevxcsi1104.exe
privacycrusaderdemo.exe
privatemailreader.exe
procalert.exe
pronto.exe
prt.exe
psfree.exe
pxckdla.exe
qconsole.exe
qpanel.exe
rasautou.exe
razespyware.exe
rcpadmin.exe
recorder.exe
regbar.exe
regclean32.exe
registrycare.exe
registryfix.exe
registrysweeper.exe
regresc.exe
remedyantispy.exe
removeit.exe
repsvc.exe
rfmanager.exe
rpcsetup.exe
rtvscan.exe
runbackgammon.exe
runbingo.exe
safewebsurfer.exe
sandboxieserver.exe
sar.exe
savemywork.exe
savscan.exe
sb32mon.exe
sbserv.exe
sbsse.exe
scan&repair2006.exe
scanner.exe
scanregw.exe
scrabble.exe
sd2006.exe
sdupdate.exe
seccon.exe
secretspy.exe
securityiguard.exe
seestat.exe
serv.exe
service.exe
service32.exe
sgfwsvc.exe |
showbar.exe
showbehind.exe
sidefind.exe
sk60.exe
skin2000.exe
sks32proc.exe
slimshield.exe
slman.exe
smileysource.exe
smitfraudfix.exe
smoke.exe
smpcpro.exe
smss32bk.exe
snackman.exe
sndsrvc.exe
snoop.exe
snowballwars.exe
sp_rsser.exe
sp0.exe
spamihilator.exe
spampal.exe
spbbcsvc.exe
spedia.exe
spyaol.exe
spybot.exe
spybotsd.exe
spybro.exe
spycl4.exe
spycleanergold.exe
spycleanerplatinum.exe
spyfighter.exe
spygraphica.exe
spyheal.exe
spyhunter.exe
spyiblock.exe
spyinator.exe
spykiller.exe
spylax.exe
spymon.exe
spyonthis.exe
spypry.exe
spyreaperprodemo.exe
spyrem.exe
spyshield.exe
spysniper.exe
spyspotter.exe
spysub.exe
spytector.exe
spytrooper.exe
spyviperprodemo.exe
spyware_annihilator.exe
spywarebot.exe
spywaredetector.exe
spywaredisinfector.exe
spywarequake.exe
spywareremovalwizard.exe
spywareremover.exe
spywareslayer.exe
spywarestormer.exe
ssdemo.exe
sservice.exe
ssk.exe
ssp.exe
sss.exe
staffcop.exe
stardialer.exe
startpoker.exe
stinger.exe
stmonitor.exe
story.exe
sunshinebingo.exe
superantispywarepro.exe
surfkeeper.exe
sv.exe
svcmon.exe
swatcher.exe
swdoctor.exe
swnxt.exe
symwsc.exe
syscfg32.exe
sysd.exe
sysformat.exe
syslog.exe
syslogin.exe
sysmgr32.exe
sysmgr64.exe
system.exe
taskdir.exe
tasker.exe
titanshield.exe
tmoagent.exe
toolkeylogger.exe
topsearch.exe
tpcl.exe
truedownloader.exe
trustcleaner.exe
ttbsetup.exe
tvs_b.exe
twab5.exe
u88.exe
udc2006.exe
uert.exe
ultrakeyboard.exe
unspypc.exe
updsvc.exe
userinit32.exe
usrprmpt.exe
usyp.exe
utviewer.exe
vcatch.exe
vetmsg.exe
vetmsg9x.exe
vettray.exe
view.exe
viewer.exe
virtuescope.exe
virusrescue.exe
vptray.exe
was6.exe
wcantispy.exe
weather.exe
webrebates.exe
websnitch.exe
wfdmgr.exe
whspeedrank.exe
wicleaner.exe
win16dll.exe
windll.exe
winlogin.exe
winlogons.exe
winlogonsys.exe
winpass.exe
winsl.exe
winsrv32.exe
wmsmod32.exe
wnames.exe
wnetmgr.exe
words.exe
worldantispy.exe
wrclock.exe
ws.exe
wslogger.exe
wsmdi.exe
wtrtrial.exe
wupdt.exe
xcommsvr.exe
x-conspywaredestroyer.exe
xfr.exe
xolox.exe
xp-antispy.exe
xspyware.exe
zango.exe
zangoastrology.exe
zangotvtimes.exe
zapspot.exe
zclient.exe
zcodec.exe
zcomservice.exe
zilla.exe
zipitfast.exe |
Displays False Warnings and Downloads Files
Win32/Eldycow displays a fake security alert dialog box like the one shown below:
If the user selects "Yes", the trojan directs them to a location on the gomyhit.com domain and downloads additional files to the system, some of which may be potentially unwanted.
The text of the alert is customized based on the operating system's language settings. Possible languages are shown below.
-----------------------------------------------------------------------------
Your computer is infected!
Windows has detected spyware infection!
It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware!'
-----------------------------------------------------------------------------
Windows Security Alert
Warning! Potential Spyware Operation!
Your computer is making unauthorized copies of your system and
Internet files. Run full scan now to prevent any unathorised access to your files!
Click here to download Spyware Remover ...
-----------------------------------------------------------------------------
Windows Sicherheit Alarm
Warnend! Moglicher Spyware Betrieb! Ihr Computer erstellt nicht autorisierte Kopien von Ihrem System und von Internet-Akten. Voller Scan des Durchlaufes jetzt zu pervent irgendwelche unathorised Zugang zu Ihren Akten! Klicken Sie hier, um Spyware Remover zu downloaden...
-----------------------------------------------------------------------------
Alerta de Segurança Windows
Alerta! Potencial operaçao de Spyware!
Seu computador está fazendo cópias nao autorizadas de seusistema e arquivos de Internet! Faça agora uma varredura para prevenir ocorrência de acesso nao autorizado aos seus arquivos.
Clique aqui para baixar o removedor do spyware...
-----------------------------------------------------------------------------
Il vostro computer e' infetto!
Windows ha individuato un infezione spyware!
Si raccomanda di usare un software speciale antispyware per prevenire la perdita dei dati. Windows scarichera oraed installera il software antispyware piu aggiornato.
Clicca qui per proteggere il tuo computer da spywares!
-----------------------------------------------------------------------------
Allarme Sicurezza Windows
Attenzione! Potenziale Spyware!
Il vostro computer sta facendo copie non autorizzate del vostro sistema e files internet. Avviate la scansione completa per prevenire accesso non autorizzato ai vostri files! Cliccate qui per scaricare lo spyware remover...
-----------------------------------------------------------------------------
Alerte De Securite De Windows
Avertissant ! Operation Potentielle De Spyware !
Votre ordinateur est um train de faire copies non autorisees de votre systeme et dossiers d Internet. Course le scan maintenant pour empecher l'acces non autorise a vos dossiers!
Cliquez ici pour charger le solvant de spyware...
-----------------------------------------------------------------------------
Alarma De Seguridad De Windows
¡Advirtiendo: potencial operación de Spyware!
Su computadora está haciendo copias no autorizadas de su sistema y archivos de Internet. ¡Corra ahora el scan del funcionamiento para prevenir cualquier accesso no autorizado a sus archivos!
¡Clic aquí para descargar el removedor del spyware!...
-----------------------------------------------------------------------------
The trojan also sets this registry entry to allow the fake security alerts to appear on screen:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = 0x00000001
Win32/Eldycow then attempts to access the IP address 81.13.38.39 to download and execute further files.
Modifies System Settings
Win32/Eldycow variants modify the following registry entries in order to lower the user's Internet security settings:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\01208 = 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\02500 = 0x00000003
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\11208 = 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\12500 = 0x00000003
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\21208 = 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\22500 = 0x00000003
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\31208 = 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\32500 = 0x00000003
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\41208 = 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\42500 = 0x00000003
It also changes Internet Explorer's default start and search settings to point to www.google.com:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.google.com/ie"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"
HKLM\SOFTWARE\Classes\http\shell\open\command = ""C:\Program Files\Internet Explorer\iexplore.exe" %1"
HKLM\SOFTWARE\Classes\https\shell\open\command = ""C:\Program Files\Internet Explorer\iexplore.exe" %1"
Some variants may set these registry entries also:
HKLM\SOFTWARE\Classes\.shtml = "htmlfile"
HKLM\SOFTWARE\Classes\.htm = "htmlfile"
HKLM\SOFTWARE\Classes\.html = "htmlfile"
HKLM\SOFTWARE\Classes\.xht = "htmlfile"
HKLM\SOFTWARE\Classes\.xhtml = "htmlfile"
Additionally, Eldycow disables the system Registry Editor and Task Manager:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools = 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr = 0x00000001
It also disables the Control Panel and Windows Update:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate = 0x0000001
Back to top