XP Entertainments - New AV Killer Trojan
By secgeeks - Posted on August 12th, 2007
Tagged:
99
vote
XP Entertainments is probably a new variant of AvKiller trojan. As of now, only few AV's detect the malicious files.
The dropper - named U.exe - drops following files/folders:\windows\system32\head.exe
\windows\system32\XPEntertainmentsUninstall.exe
\windows\system32\SoUI.dll
\program files\SoftPortal
Registry entries created by the trojan:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4748B0B3-B964-41C3-AE0A-F1345E0AC3C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\\\SoUI.dll"
[HKEY_CURRENT_USER\Software\SoftPortal]
"BasePath"="C:\\Program Files\\SoftPortal\\"
Above-mentioned files contain references to following malicious websites (Do NOT visit these sites):http://xpsite.org/head/?wmid=3&pid=1
http://api.automaticavupdate.com/UI/v1.1/Soft/
http://api.automaticavupdate.com/UI/v1.1/
Last two links listed above redirect to www.expertantivirus.com, which is the home of rogue software - ExpertAntivirus.
The trojan also adds an Add/Remove Programs entry called XP Entertainments, as shown in below screen shot:
Following screen shot shows that SoUI.dll is injected into Explorer.exe's address space:
This trojan does not allow various AntiVirus and Firewall software - like ZoneAlarm, Outpost, Microsoft AntiSpyware - to run properly. These programs crash as soon as they are started! Following screen shot shows the fate of ZoneAlarm firewall:
More information about this trojan can be found here.
Bookmark/Search this post with:
Trackback URL for this post:
http://secgeeks.com/trackback/902
Recent comments
30 weeks 5 days ago
33 weeks 2 days ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 18 weeks ago
1 year 34 weeks ago
2 years 25 weeks ago
2 years 26 weeks ago
2 years 28 weeks ago