Virus

W32/Killwin.C

Analysis


Specifics
This Trojan creates new shares onto a compromised system. The shares are named 'RPC$' and 'USR$'. This Trojan may be installed from a dropper, or other combination malware.

The Trojan will create output files which contain sensitive configuration details. These are the output files created -

c:\png00002.jpg
undefinedWindowsundefined\inf\Layout10.pnf
undefinedWindowsundefined\inf\Layout11.pnf
undefinedWindowsundefined\System32\msmgmt.dll

The files 'msmgmt.dll' and 'png00002.jpg' may contain the following types of data -

  • environment variables in memory
  • listing of currently running services
  • directory listing of root files, program files, and their ownership details
  • other log file entries indicating if commands initiated at the MS-DOS level were successful or not


New Shares Created
The Trojan may add two additional accounts to the system by these names -

RPC$
USR$

The system registry is updated to reflect how these shares are used -


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares\
"RPC$" = "CSCFlags=0 MaxUses=429496795 Path=c:\ Permissions=63
Remark=Vyhrazeno systemu Windows Type=0"
"USR$" = "CSCFlags=0 MaxUses=429496795 Path=undefineduser profile folderundefined
Permissions=63 Remark=Vychozi sdileni uzivatele Type=0


Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option