Trojan.Tooso.K is a Trojan horse that lowers security settings by ending processes, stopping services, removing registry entries, and deleting files.
This Trojan may arrive in an email with a .zip file attachment. The attachment may contain the file foto_bs363.exe.
When Trojan.Tooso.K is executed, it performs the following actions:
1. Executes the following program:
mspaint.exe.
2. Copies itself as %System%\winshost.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Drops the following file:
%System%\wiwshost.exe
4. Adds the value:
"winshost.exe" = "%System%\winshost.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
5. Adds the value:
"Start" = "4"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
so that it disables the Shared Access service in Windows 2000/XP.
6. Adds the value:
"Start" = "4"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
so that it disables Automatic Updates.
7. Adds the value:
"Start" = "4"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter
so that it disables the Alerter service.
8. Injects wiwshost.exe into the explorer.exe process. All of the Trojan's subsequent actions will appear to be performed by explorer.exe.
9. Stops services with the following names:
* AVExch32Service
* AVPCC
* AVUPDService
* Ahnlab task Scheduler
* AlertManger
* AvgCore
* AvgFsh
* AvgServ
* AvxIni
* BackWeb Client - 7681197
* BlackICE
* CAISafe
* DefWatch
* F-Secure Gatekeeper Handler Starter
* FSDFWD
* FSMA
* KAVMonitorService
* KLBLMain
* MCVSRte
* McAfee Firewall
* McAfeeFramework
* McShield
* McTaskManager
* MonSvcNT
* NISSERV
* NISUM
* NOD32ControlCenter
* NOD32Service
* NPFMntor
* NProtectService
* NSCTOP
* NVCScheduler
* NWService
* Network Associates Log Service
* Norman NJeeves
* Norman ZANDA
* Norton Antivirus Server
* Outbreak Manager
* Outpost Firewall
* OutpostFirewall
* PASSRV
* PAVFNSVR
* PAVSRV
* PCCPFW
* PREVSRV
* PSIMSVC
* PavPrSrv
* PavProt
* Pavkre
* PersFW
* SAVFMSE
* SAVScan
* SBService
* SNDSrvc
* SPBBCSvc
* SWEEPSRV.SYS
* SharedAccess
* SmcService
* SweepNet
* Symantec AntiVirus Client
* Symantec Core LC
* Tmntsrv
* V3MonNT
* V3MonSvc
* VexiraAntivirus
* VisNetic AntiVirus Plug-in
* XCOMM
* alerter
* avg7alrt
* avg7updsvc
* avpcc
* awhost32
* backweb client - 4476822
* backweb client-4476822
* ccEvtMgr
* ccPwdSvc
* ccSetMgr
* ccSetMgr.exe
* dvpapi
* dvpinit
* fsbwsys
* fsdfwd
* kavsvc
* mcupdmgr.exe
* navapsvc
* nvcoas
* nwclntc
* nwclntd
* nwclnte
* nwclntf
* nwclntg
* nwclnth
* ravmon8
* schscnt
* sharedaccess
* vsmon
* wuauserv
10. Attempts to delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\Symantec NetDriver Monitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\ccApp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\NAV CfgWiz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\SSC_UserPrompt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\McAfee Guardian
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\APVXDWIN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\KAV50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\avg7_cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\avg7_emc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\Zone Labs Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run\McAfee.InstantUpdate.Monitor
to disable the automatic startup of certain security-related programs.
11. Attempts to delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab
HKEY_LOCAL_MACHINE\SOFTWARE\Agnitum
HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software
HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs
to disable certain security-related programs.
12. Attempts to delete all instances of files with the following names from all fixed drives:
* AUPD1ATE.EXE
* AUPDATE.EXE
* Av1synmgr.exe
* Avc1onsol.exe
* Avconsol.exe
* Avsynmgr.exe
* C1CSETMGR.EXE
* CC1EVTMGR.EXE
* CCEVTMGR.EXE
* CCSETMGR.EXE
* CM1Grdian.exe
* CMGrdian.exe
* K2A2V.exe
* KAV.exe
* LUAL1L.EXE
* LUALL.EXE
* LUI1NSDLL.DLL
* LUINSDLL.DLL
* Luup1date.exe
* Luupdate.exe
* Mcsh1ield.exe
* Mcshield.exe
* NAV1APSVC.EXE
* NAVAPSVC.EXE
* NPFM1NTOR.EXE
* NPFMNTOR.EXE
* RuLa1unch.exe
* RuLaunch.exe
* SND1Srvc.exe
* SNDSrvc.exe
* SP1BBCSvc.exe
* SPBBCSvc.exe
* Up222Date.exe
* Up2Date.exe
* Vs1Stat.exe
* VsStat.exe
* Vshw1in32.exe
* Vshwin32.exe
* a5v.dll
* av.dll
* avg23emc.exe
* avgc3c.exe
* avgcc.exe
* avgemc.exe
* c6a5fix.exe
* cafix.exe
* cc1l30.dll
* ccA1pp.exe
* ccApp.exe
* ccl30.dll
* ccv1rtrst.dll
* ccvrtrst.dll
* is5a6fe.exe
* isafe.exe
* kav12mm.exe
* kavmm.exe
* outp1ost.exe
* outpost.exe
* s1ymlcsvc.exe
* symlcsvc.exe
* ve6tre5dir.dll
* vetredir.dll
* vs6va5ult.dll
* vsvault.dll
* zatu6tor.exe
* zatutor.exe
* zl5avscan.dll
* zlavscan.dll
* zlcli6ent.exe
* zlclient.exe
* zo3nealarm.exe
* zonealarm.exe
13. Attempts to stop the following services:
* SharedAccess
* wscsvc
14. Attempts to end processes with the following names:
* ATUPDATER.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AVPUPD.ExE
* AVWUPD32.EXE
* AVXQUAR.EXE
* CFIAUDIT.EXE
* DRWEBUPW.EXE
* ESCANH95.EXE
* ESCANHNT.EXE
* FIREWALL.EXE
* ICSSUPPNT.EXE
* ICSUPP95.EXE
* LUALL.EXE
* MCUPDATE.EXE
* NUPGRADE.EXE
* OUTPOST.ExE
* UPDATE.Exe
* UPGRADER.EXE
15. Attempts to download files from the following URLs in the sequence given. At the time of writing, the files were not available:
* [http://]www.21ebuild.com/[REMOVED]/osa4.gif
* [http://]www.51.net/[REMOVED]/osa4.gif
* [http://]www.acsohio.com/[REMOVED]/osa4.gif
* [http://]www.agria.hu/[REMOVED]/osa4.gif
* [http://]www.andi.com.vn/[REMOVED]/osa4.gif
* [http://]www.angham.de/[REMOVED]/osa4.gif
* [http://]www.ascolfibras.com/[REMOVED]/osa4.gif
* [http://]www.automobilonline.de/[REMOVED]/osa4.gif
* [http://]www.bangyan.cn/[REMOVED]/osa4.gif
* [http://]www.beall-cpa.com/[REMOVED]/osa4.gif
* [http://]www.bolz.at/[REMOVED]/osa4.gif
* [http://]www.bs-security.de/[REMOVED]/osa4.gif
* [http://]www.centrovestecasa.it/[REMOVED]/osa4.gif
* [http://]www.checkonemedia.nl/[REMOVED]/osa4.gif
* [http://]www.contentproject.com/[REMOVED]/osa4.gif
* [http://]www.cz-wanjia.com/[REMOVED]/osa4.gif
* [http://]www.czwanqing.com/[REMOVED]/osa4.gif
* [http://]www.czzm.com/[REMOVED]/osa4.gif
* [http://]www.datanet.huwww.datanet.hu/[REMOVED]/osa4.gif
* [http://]www.designgong.org/[REMOVED]/osa4.gif
* [http://]www.dgy.com.cn/[REMOVED]/osa4.gif
* [http://]www.die-fliesen.de/[REMOVED]/osa4.gif
* [http://]www.discoteka-funfactory.com/[REMOVED]/osa4.gif
* [http://]www.dom-invest.com.pl/[REMOVED]/osa4.gif
* [http://]www.eagle.com.cn/[REMOVED]/osa4.gif
* [http://]www.eagleclub.com.cn/[REMOVED]/osa4.gif
* [http://]www.ehc.hu/[REMOVED]/osa4.gif
* [http://]www.elvis-presley.ch/[REMOVED]/osa4.gif
* [http://]www.engelhardtgmbh.de/[REMOVED]/osa4.gif
* [http://]www.externet.hu/[REMOVED]/osa4.gif
* [http://]www.fahrschule-herb.de/[REMOVED]/osa4.gif
* [http://]www.fahrschule-lesser.de/[REMOVED]/osa4.gif
* [http://]www.fermegaroy.com/[REMOVED]/osa4.gif
* [http://]www.festivalteatrooccidente.com/[REMOVED]/osa4.gif
* [http://]www.formholz.at/[REMOVED]/osa4.gif
* [http://]www.fotomax.fi/[REMOVED]/osa4.gif
* [http://]www.gemtrox.com.tw/[REMOVED]/osa4.gif
* [http://]www.gepeters.org/[REMOVED]/osa4.gif
* [http://]www.gimex-messzeuge.de/[REMOVED]/osa4.gif
* [http://]www.gomyhome.com.tw/[REMOVED]/osa4.gif
* [http://]www.gymzn.cz/[REMOVED]/osa4.gif
* [http://]www.hondenservice.be/[REMOVED]/osa4.gif
* [http://]www.idaf.de/[REMOVED]/osa4.gif
* [http://]www.idcs.be/[REMOVED]/osa4.gif
* [http://]www.ider.cl/[REMOVED]/osa4.gif
* [http://]www.inside-tgweb.de/[REMOVED]/osa4.gif
* [http://]www.izoli.sk/[REMOVED]/osa4.gif
* [http://]www.jcm-american.com/[REMOVED]/osa4.gif
* [http://]www.jeoushinn.com/[REMOVED]/osa4.gif
* [http://]www.jingjuok.com/[REMOVED]/osa4.gif
* [http://]www.jue-bo.com/[REMOVED]/osa4.gif
* [http://]www.kingsley.ch/[REMOVED]/osa4.gif
* [http://]www.marketvw.com/[REMOVED]/osa4.gif
* [http://]www.megaserve.net/[REMOVED]/osa4.gif
* [http://]www.mild.at/[REMOVED]/osa4.gif
* [http://]www.niko.de/[REMOVED]/osa4.gif
* [http://]www.nikogmbh.com/[REMOVED]/osa4.gif
* [http://]www.olva.com.pe/[REMOVED]/osa4.gif
* [http://]www.on24.ee/[REMOVED]/osa4.gif
* [http://]www.onlink.net/[REMOVED]/osa4.gif
* [http://]www.ppm-alliance.de/[REMOVED]/osa4.gif
* [http://]www.presley.ch/[REMOVED]/osa4.gif
* [http://]www.renegaderc.com/[REMOVED]/osa4.gif
* [http://]www.replayu.com/[REMOVED]/osa4.gif
* [http://]www.sachsenbuecher.de/[REMOVED]/osa4.gif
* [http://]www.sanjinyuan.com/[REMOVED]/osa4.gif
* [http://]www.scvanravenswaaij.nl/[REMOVED]/osa4.gif
* [http://]www.slovanet.sk/[REMOVED]/osa4.gif
* [http://]www.snsphoto.com/[REMOVED]/osa4.gif
* [http://]www.societaet.de/[REMOVED]/osa4.gif
* [http://]www.soeco.org/[REMOVED]/osa4.gif
* [http://]www.softmajor.ru/[REMOVED]/osa4.gif
* [http://]www.solt3.org/[REMOVED]/osa4.gif
* [http://]www.spacium.biz/[REMOVED]/osa4.gif
* [http://]www.speedcom.home.pl/[REMOVED]/osa4.gif
* [http://]www.spirit-in-steel.at/[REMOVED]/osa4.gif
* [http://]www.spoden.de/[REMOVED]/osa4.gif
* [http://]www.sportnf.com/[REMOVED]/osa4.gif
* [http://]www.spy.az/[REMOVED]/osa4.gif
* [http://]www.sqnsolutions.com/[REMOVED]/osa4.gif
* [http://]www.st-paulus-bonn.dehtdocs/[REMOVED]/osa4.gif
* [http://]www.stbs.com.hk/[REMOVED]/osa4.gif
* [http://]www.steripharm.com/[REMOVED]/osa4.gif
* [http://]www.students.stir.ac.uk/[REMOVED]/osa3.gif
* [http://]www.subsplanet.com/[REMOVED]/osa4.gif
* [http://]www.sungodbio.com/[REMOVED]/osa4.gif
* [http://]www.superbetcs.com/[REMOVED]/osa4.gif
* [http://]www.sweb.cz/[REMOVED]/osa4.gif
* [http://]www.sydolo.com/[REMOVED]/osa4.gif
* [http://]www.szdiheng.com/[REMOVED]/osa4.gif
* [http://]www.tcicampus.net/[REMOVED]/osa4.gif
* [http://]www.techni.com.cn/[REMOVED]/osa4.gif
* [http://]www.tg-sandhausen-basketball.de/[REMOVED]/osa4.gif
* [http://]www.th-mutan.com/[REMOVED]/osa4.gif
* [http://]www.thaifast.com/[REMOVED]/osa4.gif
* [http://]www.thaiventure.com/[REMOVED]/osa4.gif
* [http://]www.thefunkiest.com/[REMOVED]/osa4.gif
* [http://]www.thenextstep.tv/[REMOVED]/osa4.gif
* [http://]www.thetexasoutfitter.com/[REMOVED]/osa4.gif
* [http://]www.tmhcsd1987.friko.pl/[REMOVED]/osa4.gif
* [http://]www.toussain.be/[REMOVED]/osa4.gif
* [http://]www.trago.com.pt/[REMOVED]/osa4.gif
* [http://]www.travelourway.com/[REMOVED]/osa4.gif
* [http://]www.trgd.dobrcz.pl/[REMOVED]/osa4.gif
* [http://]www.triapex.cz/[REMOVED]/osa4.gif
* [http://]www.triptonic.ch/[REMOVED]/osa4.gif
* [http://]www.tv-marina.com/[REMOVED]/osa4.gif
* [http://]www.udc-cassinadepecchi.it/[REMOVED]/osa4.gif
* [http://]www.universe.sk/[REMOVED]/osa4.gif
* [http://]www.uspowerchair.com/[REMOVED]/osa4.gif
* [http://]www.uw.hu/[REMOVED]/osa4.gif
* [http://]www.vercruyssenelektro.be/[REMOVED]/osa4.gif
* [http://]www.vet24h.com/[REMOVED]/osa4.gif
* [http://]www.vinimeloni.com/[REMOVED]/osa4.gif
* [http://]www.vnn.vn/[REMOVED]/osa4.gif
* [http://]www.vnrvjiet.ac.in/[REMOVED]/osa4.gif
* [http://]www.vote2fateh.com/[REMOVED]/osa4.gif
* [http://]www.vw.press-bank.pl/[REMOVED]/osa4.gif
* [http://]www.wamba.asn.au/[REMOVED]/osa4.gif
* [http://]www.wdlp.co.za/[REMOVED]/osa4.gif
* [http://]www.welchcorp.com/[REMOVED]/osa4.gif
* [http://]www.wesartproductions.com/[REMOVED]/osa4.gif
* [http://]www.wilsonscountry.com/[REMOVED]/osa4.gif
* [http://]www.windstar.pl/[REMOVED]/osa4.gif
* [http://]www.wise-industries.com/[REMOVED]/osa4.gif
* [http://]www.witold.pl/[REMOVED]/osa4.gif
* [http://]www.wombband.com/[REMOVED]/osa4.gif
* [http://]www.x-treme.cz/[REMOVED]/osa4.gif
* [http://]www.xiantong.net/[REMOVED]/osa4.gif
* [http://]www.xmpie.com/[REMOVED]/osa4.gif
* [http://]www.xmtd.com/[REMOVED]/osa4.gif
* [http://]www.xojc.com/[REMOVED]/osa4.gif
* [http://]www.yannick-spruyt.be/[REMOVED]/osa4.gif
* [http://]www.yayadownload.com/[REMOVED]/osa4.gif
* [http://]www.yesterdays.co.za/[REMOVED]/osa4.gif
* [http://]www.yshkj.com/[REMOVED]/osa4.gif
* [http://]www.zakazcd.dp.ua/[REMOVED]/osa4.gif
* [http://]www.zenesoftware.com/[REMOVED]/osa4.gif
* [http://]www.zentek.co.za/[REMOVED]/osa4.gif
* [http://]www.zorbas.az/[REMOVED]/osa4.gif
* [http://]www.zsbersala.edu.sk/[REMOVED]/osa4.gif
16. Overwrites the infected computer's hosts file with the following text:
127.0.0.1 localhost
REMOVAL INSTRUCTIONSSee:
[url]http://securityresponse.symantec.com/avcenter/venc/data/trojan.tooso.k.html[/url]
To delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"winshost.exe" = "%System%\winshost.exe"
6. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
7. In the right pane, restore the original value if applicable:
"Start" = "4"
8. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter
9. In the right pane, restore the original value if applicable:
"Start" = "4"
10. Exit the Registry Editor.
7. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.
Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
1. Click Start > Control Panel.
2. Double-click the Security Center.
3. Ensure that the Firewall security essential is marked ON.
Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.
If the Firewall security essential is not marked on, click the "Recommendations" button.
4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
5. Click Close, and then click OK.
6. Close the Security Center.
Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:
1. Click Start > Run.
2. Type services.msc
Then click OK.
3. Do one of the following:
* Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
* Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.
4. Under "Startup Type:", select "Automatic" from the drop-down menu.
5. Under "Service Status:", click the Start button.
6. Once the service has completed starting, click OK.
7. Close the Services window.
AlphaOne Technology Support Forums
Author
Logged
