Trojan.Tooso.N is a Trojan Horse that attempts to lower security settings and download other threats. This risk is mailed by W32.Beagle.CG@mm.
When Trojan.Tooso.N is executed, it performs the following actions:
1. Creates the following file:
%Windir%\gfgdgfddfgdfgwe.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
2. Attempts to execute this file, which only runs under Windows 95/98/Me.
Note: If the compromised computer is not running Windows 95/98/Me, the Trojan will not execute.
3. Creates the following copy of itself:
%System%\winshost.exe
4. Drops the following file:
%System%\wiwshost.exe
5. Adds the value:
"winshost.exe" = "%System%\winshost.exe"
to the registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
6. Attempts to find the explorer.exe process and injects wiwshost.exe into it.
Note: All subsequent actions are taken by wiwshost.exe, but will appear to be taken by explorer.exe.
7. Overwrites the compromised computer's hosts file with the following text:
127.0.0.1 localhost
8. Launches a thread that stops services with the following names:
* Ahnlab task Scheduler
* alerter
* AlertManger
* AVExch32Service
* avg7alrt
* avg7updsvc
* AvgCore
* AvgFsh
* AvgServ
* avpcc
* AVPCC
* AVUPDService
* AvxIni
* awhost32
* backweb client - 4476822
* BackWeb Client - 7681197
* backweb client-4476822
* BlackICE
* CAISafe
* ccEvtMgr
* ccEvtMgr
* ccPwdSvc
* ccSetMgr
* ccSetMgr.exe
* DefWatch
* dvpapi
* dvpinit
* fsbwsys
* fsdfwd
* FSDFWD
* F-Secure Gatekeeper Handler Starter
* F-Secure Gatekeeper Handler Starter
* FSMA
* FSMA
* KAVMonitorService
* KAVMonitorService
* kavsvc
* KLBLMain
* McAfee Firewall
* McAfeeFramework
* McShield
* McTaskManager
* mcupdmgr.exe
* MCVSRte
* MonSvcNT
* navapsvc
* navapsvc
* navapsvc
* navapsvc
* Network Associates Log Service
* NISSERV
* NISUM
* NOD32ControlCenter
* NOD32Service
* Norman NJeeves
* Norman ZANDA
* Norton Antivirus Server
* NPFMntor
* NProtectService
* NSCTOP
* nvcoas
* NVCScheduler
* nwclntc
* nwclntd
* nwclnte
* nwclntf
* nwclntg
* nwclnth
* NWService
* Outbreak Manager
* Outpost Firewall
* OutpostFirewall
* PASSRV
* PAVFNSVR
* Pavkre
* PavProt
* PavPrSrv
* PAVSRV
* PCCPFW
* PersFW
* PREVSRV
* PSIMSVC
* ravmon8
* SAVFMSE
* SAVScan
* SAVScan
* SAVScan
* SBService
* schscnt
* SharedAccess
* sharedaccess
* SharedAccess
* SmcService
* SNDSrvc
* SPBBCSvc
* SweepNet
* SWEEPSRV.SYS
* Symantec AntiVirus Client
* Symantec Core LC
* Symantec Core LC
* Symantec Core LC
* Tmntsrv
* V3MonNT
* V3MonSvc
* VexiraAntivirus
* VisNetic AntiVirus Plug-in
* vsmon
* vsmon
* wscsvc
* wuauserv
* wuauserv
* XCOMM
9. Attempts to delete the following registry entries:
"Symantec NetDriver Monitor"
"ccApp"
"NAV CfgWiz"
"SSC_UserPrompt"
"McAfee Guardian"
"APVXDWIN"
"KAV50"
"avg7_cc"
"avg7_emc"
"Zone Labs Client"
from the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
10. Attempts to delete the following registry entry:
"McAfee.InstantUpdate.Monitor"
from the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
11. Attempts to delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab
HKEY_LOCAL_MACHINE\SOFTWARE\Agnitum
HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software
HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs
12. Attempts to delete all instances of the following files from all fixed drives:
* a5v.dll
* AUPD1ATE.EXE
* AUPDATE.EXE
* AUPDATE.EXE
* av.dll
* av.dll
* Av1synmgr.exe
* Avc1onsol.exe
* Avconsol.exe
* Avconsol.exe
* avg23emc.exe
* avgc3c.exe
* avgcc.exe
* avgcc.exe
* avgemc.exe
* avgemc.exe
* Avsynmgr.exe
* Avsynmgr.exe
* C1CSETMGR.EXE
* c6a5fix.exe
* cafix.exe
* cafix.exe
* CC1EVTMGR.EXE
* cc1l30.dll
* ccA1pp.exe
* ccApp.exe
* ccApp.exe
* CCEVTMGR.EXE
* CCEVTMGR.EXE
* ccl30.dll
* ccl30.dll
* CCSETMGR.EXE
* CCSETMGR.EXE
* ccv1rtrst.dll
* ccvrtrst.dll
* ccvrtrst.dll
* CM1Grdian.exe
* CMGrdian.exe
* CMGrdian.exe
* is5a6fe.exe
* isafe.exe
* isafe.exe
* K2A2V.exe
* KAV.exe
* KAV.exe
* kav12mm.exe
* kavmm.exe
* kavmm.exe
* LUAL1L.EXE
* LUALL.EXE
* LUALL.EXE
* LUI1NSDLL.DLL
* LUINSDLL.DLL
* LUINSDLL.DLL
* Luup1date.exe
* Luupdate.exe
* Luupdate.exe
* Mcsh1ield.exe
* Mcshield.exe
* Mcshield.exe
* mysuperprog.exe
* NAV1APSVC.EXE
* NAVAPSVC.EXE
* NAVAPSVC.EXE
* NPFM1NTOR.EXE
* NPFMNTOR.EXE
* NPFMNTOR.EXE
* outp1ost.exe
* outpost.exe
* outpost.exe
* RuLa1unch.exe
* RuLaunch.exe
* RuLaunch.exe
* s1ymlcsvc.exe
* SND1Srvc.exe
* SNDSrvc.exe
* SNDSrvc.exe
* SP1BBCSvc.exe
* SPBBCSvc.exe
* SPBBCSvc.exe
* symlcsvc.exe
* symlcsvc.exe
* Up222Date.exe
* Up2Date.exe
* Up2Date.exe
* ve6tre5dir.dll
* vetredir.dll
* vetredir.dll
* Vs1Stat.exe
* vs6va5ult.dll
* Vshw1in32.exe
* Vshwin32.exe
* Vshwin32.exe
* VsStat.exe
* VsStat.exe
* vsvault.dll
* vsvault.dll
* zatu6tor.exe
* zatutor.exe
* zatutor.exe
* zatutor.exe
* zl5avscan.dll
* zlavscan.dll
* zlavscan.dll
* zlavscan.dll
* zlcli6ent.exe
* zlclient.exe
* zlclient.exe
* zo3nealarm.exe
* zonealarm.exe
* zonealarm.exe
* zonealarm.exe
13. Attempts to terminate processes with the following names:
* ATUPDATER.EXE
* ATUPDATER.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AVPUPD.EXE
* AVWUPD32.EXE
* AVXQUAR.EXE
* AVXQUAR.EXE
* CFIAUDIT.EXE
* DRWEBUPW.EXE
* ESCANH95.EXE
* ESCANHNT.EXE
* FIREWALL.EXE
* ICSSUPPNT.EXE
* ICSUPP95.EXE
* LUALL.EXE
* MCUPDATE.EXE
* NUPGRADE.EXE
* NUPGRADE.EXE
* OUTPOST.EXE
* UPDATE.EXE
* UPGRADER.EXE
14. Attempts to download files from the following URLs in the sequence given:
* [http://]www.yannick-spruyt.be/[REMOVED]/osa5.gif
* [http://]www.yayadownload.com/ [REMOVED]/osa5.gif
* [http://]www.yesterdays.co.za/ [REMOVED]/osa5.gif
* [http://]www.yesterdays.co.za/ [REMOVED]/osa5.gif
* [http://]www.yshkj.com/[REMOVED]/osa5.gif
* [http://]www.yshkj.com/[REMOVED]/osa5.gif
* [http://]www.zakazcd.dp.ua/[REMOVED]/osa5.gif
* [http://]www.students.stir.ac.uk/[REMOVED]/osa5.gif
* [http://]www.zenesoftware.com/[REMOVED]/osa5.gif
* [http://]www.zentek.co.za/[REMOVED]/osa5.gif
* [http://]www.czzm.com/[REMOVED]/osa5.gif
* [http://]www.izoli.sk/[REMOVED]/osa5.gif
* [http://]www.zorbas.az/[REMOVED]/osa5.gif
* [http://]www.zsbersala.edu.sk/[REMOVED]/osa5.gif
* [http://]www.triptonic.ch/[REMOVED]/osa5.gif
* [http://]www.tv-marina.com/[REMOVED]/osa5.gif
* [http://]www.travelourway.com/[REMOVED]/osa5.gif
* [http://]www.megaserve.net/[REMOVED]/osa5.gif
* [http://]www.trgd.dobrcz.pl/[REMOVED]/osa5.gif
* [http://]www.mild.at/[REMOVED]/osa5.gif
* [http://]www.mild.at/[REMOVED]/osa5.gif
* [http://]www.kingsley.ch/[REMOVED]/osa5.gif
* [http://]www.mild.at/[REMOVED]/osa5.gif
* [http://]www.elvis-presley.ch/[REMOVED]/osa5.gif
* [http://]www.gomyhome.com.tw/[REMOVED]/osa5.gif
* [http://]www.ider.cl/[REMOVED]/osa5.gif
* [http://]www.ascolfibras.com/[REMOVED]/osa5.gif
* [http://]www.on24.ee/[REMOVED]/osa5.gif
* [http://]www.xojc.com/[REMOVED]/osa5.gif
* [http://]www.x-treme.cz/[REMOVED]/osa5.gif
* [http://]www.gymzn.cz/[REMOVED]/osa5.gif
* [http://]www.gymzn.cz/[REMOVED]/osa5.gif
* [http://]www.gymzn.cz/[REMOVED]/osa5.gif
* [http://]www.xiantong.net/[REMOVED]/osa5.gif
* [http://]www.xmpie.com/[REMOVED]/osa5.gif
* [http://]www.xmpie.com/[REMOVED]/osa5.gif
* [http://]www.xmtd.com/[REMOVED]/osa5.gif
* [http://]www.onlink.net/[REMOVED]/osa5.gif
* [http://]www.discoteka-funfactory.com/[REMOVED]/osa5.gif
* [http://]www.toussain.be/[REMOVED]/osa5.gif
* [http://]www.idcs.be/[REMOVED]/osa5.gif
* [http://]www.gepeters.org/[REMOVED]/osa5.gif
* [http://]www.angham.de/[REMOVED]/osa5.gif
* [http://]www.idaf.de/[REMOVED]/osa5.gif
* [http://]www.bolz.at/[REMOVED]/osa5.gif
* [http://]www.societaet.de/[REMOVED]/osa5.gif
* [http://]www.ppm-alliance.de/[REMOVED]/osa5.gif
* [http://]www.udc-cassinadepecchi.it/[REMOVED]/osa5.gif
* [http://]www.universe.sk/[REMOVED]/osa5.gif
* [http://]www.jingjuok.com/[REMOVED]/osa5.gif
* [http://]www.gemtrox.com.tw/[REMOVED]/osa5.gif
* [http://]www.uspowerchair.com/[REMOVED]/osa5.gif
* [http://]www.steripharm.com/[REMOVED]/osa5.gif
* [http://]www.beall-cpa.com/[REMOVED]/osa5.gif
* [http://]www.jcm-american.com/[REMOVED]/osa5.gif
* [http://]www.vercruyssenelektro.be/[REMOVED]/osa5.gif
* [http://]www.centrovestecasa.it/[REMOVED]/osa5.gif
* [http://]www.vet24h.com/[REMOVED]/osa5.gif
* [http://]www.vinimeloni.com/[REMOVED]/osa5.gif
* [http://]www.vnrvjiet.ac.in/[REMOVED]/osa5.gif
* [http://]www.vote2fateh.com/[REMOVED]/osa5.gif
* [http://]www.marketvw.com/[REMOVED]/osa5.gif
* [http://]www.formholz.at/[REMOVED]/osa5.gif
* [http://]www.checkonemedia.nl/[REMOVED]/osa5.gif
* [http://]www.fotomax.fi/[REMOVED]/osa5.gif
* [http://]www.vw.press-bank.pl/[REMOVED]/osa5.gif
* [http://]www.wamba.asn.au/[REMOVED]/osa5.gif
* [http://]www.cz-wanjia.com/[REMOVED]/osa5.gif
* [http://]www.czwanqing.com/[REMOVED]/osa5.gif
* [http://]www.wdlp.co.za/[REMOVED]/osa5.gif
* [http://]www.automobilonline.de/[REMOVED]/osa5.gif
* [http://]www.bangyan.cn/[REMOVED]/osa5.gif
* [http://]www.21ebuild.com/[REMOVED]/osa5.gif
* [http://]www.eagle.com.cn/[REMOVED]/osa5.gif
* [http://]www.eagleclub.com.cn/[REMOVED]/osa5.gif
* [http://]www.eagleclub.com.cn/[REMOVED]/osa5.gif
* [http://]www.sanjinyuan.com/[REMOVED]/osa5.gif
* [http://]www.designgong.org/[REMOVED]/osa5.gif
* [http://]www.fermegaroy.com/[REMOVED]/osa5.gif
* [http://]www.welchcorp.com/[REMOVED]/osa5.gif
* [http://]www.snsphoto.com/[REMOVED]/osa5.gif
* [http://]www.soeco.org/[REMOVED]/osa5.gif
* [http://]www.softmajor.ru/[REMOVED]/osa5.gif
* [http://]www.solt3.org/[REMOVED]/osa5.gif
* [http://]www.sqnsolutions.com/[REMOVED]/osa5.gif
* [http://]www.spacium.biz/[REMOVED]/osa5.gif
* [http://]www.speedcom.home.pl/[REMOVED]/osa5.gif
* [http://]www.trago.com.pt/[REMOVED]/osa5.gif
* [http://]www.spirit-in-steel.at/[REMOVED]/osa5.gif
* [http://]www.spy.az/[REMOVED]/osa5.gif
* [http://]www.st-paulus-bonn.dehtdocs/[REMOVED]/osa5.gif
* [http://]www.stbs.com.hk/[REMOVED]/osa5.gif
* [http://]www.acsohio.com/[REMOVED]/osa5.gif
* [http://]www.olva.com.pe/[REMOVED]/osa5.gif
* [http://]www.subsplanet.com/[REMOVED]/osa5.gif
* [http://]www.sungodbio.com/[REMOVED]/osa5.gif
* [http://]www.superbetcs.com/[REMOVED]/osa5.gif
* [http://]www.vnn.vn/[REMOVED]/osa5.gif
* [http://]www.sydolo.com/[REMOVED]/osa5.gif
* [http://]www.szdiheng.com/[REMOVED]/osa5.gif
* [http://]www.agria.hu/[REMOVED]/osa5.gif
* [http://]www.externet.hu/[REMOVED]/osa5.gif
* [http://]www.hondenservice.be/[REMOVED]/osa5.gif
* [http://]www.ehc.hu/[REMOVED]/osa5.gif
* [http://]www.tcicampus.net/[REMOVED]/osa5.gif
* [http://]www.contentproject.com/[REMOVED]/osa5.gif
* [http://]www.festivalteatrooccidente.com/[REMOVED]/osa5.gif
* [http://]www.techni.com.cn/[REMOVED]/osa5.gif
* [http://]www.festivalteatrooccidente.com/[REMOVED]/osa5.gif
* [http://]www.thaifast.com/[REMOVED]/osa5.gif
* [http://]www.thaiventure.com/[REMOVED]/osa5.gif
* [http://]www.andi.com.vn/[REMOVED]/osa5.gif
* [http://]www.replayu.com/[REMOVED]/osa5.gif
* [http://]www.th-mutan.com/[REMOVED]/osa5.gif
* [http://]www.thetexasoutfitter.com/[REMOVED]/osa5.gif
* [http://]www.tmhcsd1987.friko.pl/[REMOVED]/osa5.gif
* [http://]www.thenextstep.tv/[REMOVED]/osa5.gif
* [http://]www.thenextstep.tv/[REMOVED]/osa5.gif
* [http://]www.wesartproductions.com/[REMOVED]/osa5.gif
* [http://]www.wilsonscountry.com/[REMOVED]/osa5.gif
* [http://]www.windstar.pl/[REMOVED]/osa5.gif
* [http://]www.wise-industries.com/[REMOVED]/osa5.gif
* [http://]www.witold.pl/[REMOVED]/osa5.gif
* [http://]www.witold.pl/[REMOVED]/osa5.gif
* [http://]www.51.net/[REMOVED]/osa5.gif
* [http://]www.slovanet.sk/[REMOVED]/osa5.gif
* [http://]www.wombband.com/[REMOVED]/osa5.gif
* [http://]www.datanet.huwww.datanet.hu/[REMOVED]/osa5.gif
* [http://]www.uw.hu/[REMOVED]/osa5.gif
* [http://]www.dgy.com.cn/[REMOVED]/osa5.gif
* [http://]www.bs-security.de/[REMOVED]/osa5.gif
* [http://]www.die-fliesen.de/[REMOVED]/osa5.gif
* [http://]www.dom-invest.com.pl/[REMOVED]/osa5.gif
* [http://]www.engelhardtgmbh.de/[REMOVED]/osa5.gif
* [http://]www.triapex.cz/[REMOVED]/osa5.gif
* [http://]www.fahrschule-herb.de/[REMOVED]/osa5.gif
* [http://]www.fahrschule-lesser.de/[REMOVED]/osa5.gif
* [http://]www.gimex-messzeuge.de/[REMOVED]/osa5.gif
* [http://]www.inside-tgweb.de/[REMOVED]/osa5.gif
* [http://]www.jue-bo.com/[REMOVED]/osa5.gif
* [http://]www.niko.de/[REMOVED]/osa5.gif
* [http://]www.nikogmbh.com/[REMOVED]/osa5.gif
* [http://]www.renegaderc.com/[REMOVED]/osa5.gif
* [http://]www.sachsenbuecher.de/[REMOVED]/osa5.gif
* [http://]www.scvanravenswaaij.nl/[REMOVED]/osa5.gif
* [http://]www.spoden.de/[REMOVED]/osa5.gif
* [http://]www.sportnf.com/[REMOVED]/osa5.gif
* [http://]www.sweb.cz/[REMOVED]/osa5.gif
* [http://]www.tg-sandhausen-basketball.de/[REMOVED]/osa5.gif
* [http://]www.thefunkiest.com/[REMOVED]/osa5.gif
* [http://]www.thefunkiest.com/[REMOVED]/osa5.gif
* [http://]www.jeoushinn.com/[REMOVED]/osa5.gif
* [http://]www.presley.ch/[REMOVED]/osa5.gif
Note: At the time of writing, the files were not available.
15. Attempts to save the downloaded file as %Windir%\_re_file.exe and then executed it.
Note: It has been reported that the downloaded file is supposed to be a Beagle variant.
16. Creates the following registry subkey:
HKEY_CURRENT_USER\Software\FirstRun\FirstRunRR
which is used as an infection marker.
17. Opens notepad.exe.
Note: This only occurs after the first time the Trojan is launched.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.tooso.n.html
AlphaOne Technology Support Forums
Author
Logged
