Description 

This trojan is a typical Downloader Trojan. The size is 5632 bytes and the trojan is runtime compressed by UPX and patched with a entry point manipulation.

The trojans icon looks like a Adobe PDF document icon, but the trojan hides with a double
file extension of ".pdf.exe" behind this.

Note: Windows might hide the second .exe file extension, meaning only rechnung.pdf is visible.
(See illustration above)

The trojan uses a trick to avoid unpacking by standard UPX unpacking routines - it places a small startup code infront of the UPX unpacker stub and changes the entry point to this location.

Details: This code pushes the offset address of the original upx unpacker stub to the stack, initializes the counter register (ecx) with 010h and loops 16 times in a empty loop before it jumps to the upx unpacker stub via RET (return) opcode. This trick is used to avoid calculations of offset jumps.

Note: However, since the DLL imagebase might change depending on the host system this trick does actually only work with PE Executables and not with Dynamic Link Libraries.

That said: The DLL code is always reloaded during runtime (attach to DLL request) into different memory addresses - therefore this virtual push address would be incorrect and the file might not initialize upon DLL loading process.

Note: In the following text, %WINDOWS% denotes Windows directory (e.g. C:\WINDOWS) and %SYSTEM% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as
they differ on various versions of Microsoft Windows.

Installation and Autostart Techniques

Upon execution the trojan copies itself into the Windows folder with the origin filename and file extension. After that, the trojan starts itself via ShellExecuteA function out of the windows folder. A temporary created "a.bat" file is taking care in a loop of deleting the origin file via "if exist" check until this file could be deleted. This a.bat file deletes itself in the last line with %0.

The trojan adds the following registry key to the registry to make sure that it runs every time windows is started until the files are downloaded:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"winldr" = "%WINDOWS%\<Trojan-Executable.EXE>"

Note: By default the executable name is "Rechnung.pdf.exe"

More nasty Tricks - Firewallbypass & Co...

The problem for a downloader trojan is always how to avoid firewall notifications of outgoing
connections. This trojan is smart enough to locate via "FindWindowA" function the handle of
the "Shell_TrayWnd" (which belongs to the system and therefore has access) and attaches to this process.

It then patches this process via WriteProcessMemory Function with its own downloader code in it (Code Injection) and starts via CreateRemoteThread the downloader functionality out of this "trusted" process.

This makes it difficult to locate this downloader activities on the compromised system and stealth the visibility of this downloader process.

Downloaded components

Finally the trojan tries to download files from several webservers and tries to execute them.

Note: These downloaded files are detected by NOD32 as Win32/Dumador Trojan.

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.