Description:
Win32.Tactslay is a family of web-controlled backdoor trojans that allow an attacker to perform a number of unauthorized actions on an affected machine. When executed, Tactslay variants may either copy themselves to the %Windows% or %System% directories using a filename that varies according to variant.
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The trojan then modifies the following registry entry in order to ensure that the trojan is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Tactslay variants that create copies of themselves in the %Windows% or %System% directories may use a batch file to remove the original source executable. Current variants may use one of these file names for the batch file:
del_me.bat
_DelitA.bat
<random characters >.bat
Please see below for a complete list of filenames and registry entries used by current Tactslay variants that have been reported to CA from the wild:
Win32.Tactslay.A
Copies itself to the %Windows% directory with one of these filenames:
- svcrhost.exe
- outIook.exe
- expIorer.exe
- svcshost.exe
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Scheduler = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OfficeAgent = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Msupdate = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccAppr = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfY = "%Windows%\ <trojan file name selected from list above>"
Win32.Tactslay.B
Copies itself to the %Windows% directory with one of these filenames:
- sdhch.exe
- winagent.exe
- svchst.exe
- msnexploren.exe
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Scheduler = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinAmpAgent = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcH0st = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsnExplorer = "%Windows%\ <trojan file name selected from list above>"
Win32.Tactslay.C
Copies itself to the %Windows% directory with one of these filenames:
- msgaol.exe
- deamon.exe
- browse.exe
- s_menu.exe
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Messanger = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\httpd = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\browser = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StartMenu = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cpl = "%Windows%\ <trojan file name selected from list above>"
Win32.Tactslay.D and Win32.Tactslay.G
Copies itself to the %Windows% directory with one of these filenames:
- shch.exe
- winagent.exe
- svchst.exe
- msexploren.exe
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SheduIer = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinAmpAgent = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcH0st = "%Windows% \<trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsnExplorer = "%Windows%\ <trojan file name selected from list above>"
Win32.Tactslay.E
Copies itself to the %Windows% directory with one of these filenames:
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nvsvca32 = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\clfmon = "%Windows% \<trojan file name selected from list above>"
Win32.Tactslay.F and Win32.Tactslay.H
Copies itself to the %Windows% directory with one of these filenames:
- sssasasb32.exe
- msnmsgq.exe
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sssasasb32 = "%Windows%\ <trojan file name selected from list above>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgq32 = "%Windows% \<trojan file name selected from list above>" Win32.Tactslay.N
Uses the mutex "DLLBHOMUTEX".
Drops a dll, containing the main functionality, in the %windows% directory using the source filename and a .dll extension.
Installs itself as a Browser Helper Object:
HKCR\dll.DllBho.1
HKCR\dll.DllBho.1\(Default) = "CDllBho Object"
HKCR\dll.DllBho.1\CLSID\(Default) = "{5A5B6916-ED71-4531-8018-E792DD44156E}"
HKCR\dll.DllBho
HKCR\dll.DllBho\(Default) = "CDllBho Object"
HKCR\dll.DllBho\CLSID\(Default) = "{5A5B6916-ED71-4531-8018-E792DD44156E}"
HKCR\dll.DllBho\CurVer\(Default) = "dll.DllBho.1"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A5B6916-ED71-4531-8018-E792DD44156E}
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\(Default) = "CDllBho Object"
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\ProgID\(Default) = "dll.DllBho.1"
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\VersionIndependentProgID\(Default = "dll.DllBho"
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\AppID = ""
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\TypeLib\(Default) = "{4145C395-632A-4025-88EA-F1AA0479746E}"
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\InprocServer32
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\InprocServer32\ThreadingModel = "apartment"
HKCR\CLSID\{5A5B6916-ED71-4531-8018-E792DD44156E}\InprocServer32\(Default) = "%windows%\<source filena me>.dll"
HKCR\TypeLib\{4145C395-632A-4025-88EA-F1AA0479746E}
HKCR\TypeLib\{4145C395-632A-4025-88EA-F1AA0479746E}\1.0
HKCR\TypeLib\{4145C395-632A-4025-88EA-F1AA0479746E}\1.0\(Default) = "dll 1.0 Type Library"
HKCR\TypeLib\{4145C395-632A-4025-88EA-F1AA0479746E}\1.0\FLAGS\(Default) = "0"
HKCR\TypeLib\{4145C395-632A-4025-88EA-F1AA0479746E}\1.0\0\win32\(Default) = "%windows%\<source filename>.dll"
HKCR\TypeLib\{4145C395-632A-4025-88EA-F1AA0479746E}\1.0\HELPDIR\(Default) = "%windows%"
HKCR\Interface\{6A7807F7-1D10-42DD-ABA1-450AB9380E8E}\(Default) = "IDllBho"
HKCR\Interface\{6A7807F7-1D10-42DD-ABA1-450AB9380E8E}\ProxyStubClsid\(Default) = "{00020424-0000-0000-C000-000000000046}"
HKCR\Interface\{6A7807F7-1D10-42DD-ABA1-450AB9380E8E}\ProxyStubClsid32\(Default) = "{00020424-0000-0000-C000-000000000046}"
HKCR\Interface\{6A7807F7-1D10-42DD-ABA1-450AB9380E8E}\TypeLib\(Default) = "{4145C395-632A-4025-88EA-F1AA0479746E}"
HKCR\Interface\{6A7807F7-1D10-42DD-ABA1-450AB9380E8E}\TypeLib\Version = "1.0"
HKCR\AppID\(Default) = "dl l"
HKCR\AppID\dll.DLL\AppID = ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A5B6916-ED71-4531-8018-E792DD44156E}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A5B6916-ED71-4531-8018-E792DD44156E}\(Default) = ""
HKLM\SOFTWARE\sr
HKLM\SOFTWARE\sr\sr
HKLM\SOFTWARE\sr\sr\Enable = 0x1
Domains used by Tactslay.N for downloading and executing files:
198.88.20.155
www274.s3xi.com
Tactslay.U
Copies itself to the %Windows% directory with one of these filenames:
- ita.exe
- gcac.exe
- hda.exe
- atip.exe
and may make one of these registry modifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iTunesAgent = "%Windows%\ita.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gCac = "%Windows%\gcac.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio = "%Windows%\hda.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AtiPanel = "%Windows%\atip.exe"
Domains used by Tactslay.U for downloading and executing files:
216.95.196.22
221.10.201.177
221.10.201.190
fqoff.t0wers.net
kjp.j0ys.com
nmho.t0wers.net
omg.t0wers.net
phj.cr3am.net
piiia.cr3am.net
pqh.j0ys.com
th15.t0wers.net Backdoor Functionality
Tactslay attempts to connect to google.com or yahoo.com in order to check for an Internet connection.
Tactslay provides a backdoor that allows its controller to perform a number of actions on an affected machine, includi ng:
- downloading files from remote URLs
- executing files
- updating the trojan
- removing Tactslay from the machine
- issuing commands via the command prompt
- opening files and URLs using their default associations.
Current Tactslay variants download an array of malware and adware. We have received reports that infected machines are often also compromised by various Win32.Startpage variants. For more information on Win32.Startpage, please see elsewhere in our encyclopedia .
Current variants of this trojan have been reported to connect to the following domains when downloading and executing files:
198.88.20.155
www666.circuithosters.com
www666.fastersmut.com
www666.filehosters.com
www666.gigabitadult.com
www273.filehosters.com
www273.g0tporn.com
www273.s3xi.com
www273.skymedia.com
www1-11.fastersmut.com
www.fastersmut.com
www274.s3xi.com
Some variants may store these downloaded files using the filename _tmpbf07a.exe , while others use a random filename.
Analysis by Paul Taylor
|
