Virus

W32/Darce.A

Analysis


Specifics
This Trojan is a package installer for a remote shell on the target system. This Trojan contains components which are extracted at run time. The main Trojan is actually a self-extracting .RAR archive file. If the Trojan is run, it could terminate some services, and also add two accounts to the system.

The Trojan will create output files which contain sensitive configuration details. These are the output files created -

c:\png00002.jpg
undefinedWindowsundefined\inf\Layout10.pnf
undefinedWindowsundefined\inf\Layout11.pnf
undefinedWindowsundefined\System32\msmgmt.dll

The files 'msmgmt.dll' and 'png00002.jpg' may contain the following types of data -

* environment variables in memory
* listing of currently running services
* directory listing of root files, program files, and their ownership details
* other log file entries indicating if commands initiated at the MS-DOS level were successful or not


New Shares Created
The Trojan may add two additional accounts to the system by these names -

RPC$
USR$

The system registry is updated to reflect how these shares are used -


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares\
"RPC$" = "CSCFlags=0 MaxUses=429496795 Path=c:\ Permissions=63
Remark=Vyhrazeno systemu Windows Type=0"
"USR$" = "CSCFlags=0 MaxUses=429496795 Path=undefineduser profile folderundefined
Permissions=63 Remark=Vychozi sdileni uzivatele Type=0


Remote Shell Activation
The Trojan may install a remote shell to listen on TCP port 53. The VBScript component 'odbcjet.vbs' contains instructions to stop services matching these names, using the "net stop" instruction -

SharedAccess
alg.exe
sscansvc.exe

Next, 'odbcjet.vbs' will instruct the compromised host to initiate a created and dropped program file named 'schvost.exe' using these parameters -

schvost.exe -L -p 53 -e cmd.exe

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option