Trojan.Schoeberl

Trojan.Schoeberl is a Trojan horse that downloads and executes remote files.

Trojan.Schoeberl may arrive as an attachment with the name ebay-rechnung.pdf.exe

Once it is executed, it performs the following actions:

1. Creates a copy of itself as %System%\ipwf.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Drops the file %System%\DRIVERS\winut.dat

3. Adds the value:

"IPFW" = "%System%\ipwf.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed everytime Windows starts.

4. Adds the value:

"[CURRENT FILE]" = "[CURRENT FILE]:*:Enabled:[CURRENT FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List

to add itself to the Internet Connection Firewall bypass list.

5. Adds the value:

"%System%\ipwf.exe" = "%System%\ipwf.exe:*:Enabled:ipwf"

to the registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List

to add itself to the Internet Connection Firewall bypass list.

6. Attempts to download an encrypted text file from the following URLs:

* [http://]vigos.ru/[REMOVED]/9374.txt
* [http://]www.eq2-aequitas.com/[REMOVED]/1.txt
* [http://]www.gardnersworld.co.uk/[REMOVED]/00.txt
* [http://]www.goldticks.com/[REMOVED]/unix.txt
* [http://]www.iars.org.uk/[REMOVED]/sys.txt
* [http://]vomfunkewald.de/[REMOVED]/backup.txt
* [http://]pcdr.ch/images/[REMOVED]/backup.txt
* [http://]www.bsatrans.com/[REMOVED]/backup.txt
* [http://]www.diverseinteriors.co.uk/[REMOVED]/backup.txt
* [http://]vigos.ru/love/[REMOVED]/ping.txt
* [http://]www.keramzit-isr.saminfo.ru/[REMOVED]/story.txt
* [http://]bestmega.net/[REMOVED]/praha.txt
* [http://]dmitrovka.com/[REMOVED]/secret.txt
* [http://]ecoline-spb.ru/[REMOVED]/9374.txt
* [http://]blazingweb.co.uk/[REMOVED]/paris.txt
* [http://]arcticstudios.co.uk/[REMOVED]/london.txt

7. Decrypts the text file which contains URLs and saves them to %System%\drivers\winut.dat

8. Attempts to connect to the URLs to download and execute a file. At the time of writing the file downloaded is W32.Starimp.

9. Ends processes which have one of the following names, some of which may be security-related:

* ZAPRO
* zonealarm
* armor2net
* tpfw
* NPROTECT
* MpfService
* kpf4gui
* kpf4ss
* firewall
* ccapp
* amon

10. Adds the value:

"WindowsShell" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

as an infection marker.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/trojan.schoeberl.html

To delete the value from the registry
1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the value:

"IPFW" = "%System%\ipwf.exe"

6. Navigate to the subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List

7. In the right pane, delete the value:

"[CURRENT FILE]" = "[CURRENT FILE]:*:Enabled:[CURRENT FILE]"

8. Navigate to the subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List

9. In the right pane, delete the value:

"%System%\ipwf.exe" = "%System%\ipwf.exe:*:Enabled:ipwf"

10. Navigate to the subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

11. In the right pane, delete the value:

"WindowsShell" = "1"

12. Exit the Registry Editor.