Trojan.Linkoptimizer

SUMMARY

Trojan.Linkoptimizer is a detection for a family of Trojan horse programs that use rootkit and stealth techniques to hide their presence. The Trojan may download and display pop-up advertisements.

Note: Definitions dated prior to August 25th 2006 may detect this threat as Trojan Horse.

Protection

• Virus Definitions (LiveUpdate™ Daily) August 25, 2006
• Virus Definitions (LiveUpdate™ Weekly) August 28, 2006
• Virus Definitions (Intelligent Updater) August 25, 2006
• Virus Definitions (LiveUpdate™ Plus) August 25, 2006

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: Low
• Threat Containment: Moderate
• Removal: Difficult

Damage

• Damage Level: Medium
• Payload: Displays advertisements and attempts to download other files.
• Compromises Security Settings: Creates additional administrator users on compromised computer.

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

It has been reported that Trojan.Linkoptimizer may be installed by visiting one of the following Web sites:

• [http://]gromozon.com
• [http://]cvoesdjd.com
• [http://]fgvmwyfstd8.com
• [http://]lah3bum9.com
• [http://]mufxggfi.com
• [http://]ou2dkuz71t.com
• [http://]ozkkmkdk.com
• [http://]uv97vqm3.com
• [http://]td8eau9td.com
• [http://]xearl.com

The Trojan installs itself on the compromised computer by exploiting certain vulnerabilities in Internet Explorer and Mozilla Firefox, including:

• The Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability (as described in Microsoft Security Bulletin MS04-025)
• The Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (as described in Microsoft Security Bulletin MS03-011).
• The Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-006).
• The Microsoft WMF Remote Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-001).
• The Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-013).
• The Microsoft Internet Explorer VML Remote Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-055).
• The Microsoft Window Explorer WebViewFolderIcon Remote Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-057).
  
  

When the Trojan is being installed, the browser may show the following prompt and ask the user to save a file with one of the following names:

• www.google.com
• www.auto.com
• www.free.com
• www.super.com
• www.pictures.com
  
  
  
  

The browser may also ask for confirmation to install the files FreeAccess.ocx or FreeToons.cab.

Once executed, Trojan.Linkoptimizer performs the following actions:

1. Checks for the presence of the virtual machine software, VMware. The threat will not run on any operating system running inside this environment.
   
   
2. Checks for the presence of debuggers or monitoring tools. The threat will not run on computers running any of the following drivers:
   
   • SICE (Numega SoftICE Debugger)
   • SIWVIDSTART (Numega SoftICE Debugger)
   • FILEMON (Sysinternals Filemon)
   • REGMON (Sysinternals Regmon)
     
     
3. Checks for the presence of other security tools by checking for the values:
   
   "ethereal"
   "commview"
   "core force"
   "processguard"
   "softice"
   "driverstudio"
   "microsoft visual c"
   "visual studio"
   
   in the registry entry:
   
   SOFTWAREMicrosoftWindowsCurrentVersionUninstall[PROGRAM NAME]"DisplayName"
   
   Note: The threat will not run on computers which contains one of the following strings inside the registry value.
   
   
4. Creates the following files:
   
   • %Temp%[RANDOM NAME]1.exe
   • %Windir%[RANDOM NAME]1.dll
     
     Notes:
   • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
   • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:WindowsTEMP (Windows 95/98/Me/XP) or C:WINNTTemp (Windows NT/2000).
     
     
5. Downloads files from the following hard coded IP addresses:
   
   
   • [http://]81.227.219.29/1/pic[REMOVED]
   • [http://]166.65.130.116/1/pic[REMOVED]
   • [http://]120.19.148.181/1/pic[REMOVED]
   • [http://]195.225.177.145/1/pic[REMOVED]
     
     
6. Tries to resolve the following domain name: shiptrop.com
   
   
7. Registers the dropped DLL as a Browser Helper Object by creating the following registry subkeys:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
   Browser Helper Objects[RANDOM CLASSID]
   HKEY_CLASSES_ROOTCLSID[RANDOM CLASSID]
   
   This .dll file is responsible for displaying and/or clicking ads generated by the following remote scripts;
   
   • [http://]wscrew.com/ws[REMOVED]
   • [http://]gcwave.com/gc[REMOVED]
   • [http://]wscrew.com/common/templ[REMOVED]
   • [http://]slowl.com/wli[REMOVED]
   • [http://]slowl.com/wl[REMOVED]
   • [http://]bstuck.net/bs[REMOVED]
   • [http://]shabit.net/sh[REMOVED]
   • [http://]bstuck.net/sl[REMOVED]
     
     
8. The above .dll file may also contact the following domains:
   
   • [http://]fogcu.com
   • [http://]livingcert.com
   • [http://]chongchua.com
   • [http://]washerner.com
     
     
9. Adds the value:
   
   "AppInit_DLLs" = "[TROJAN .DLL FILE]"
   
   to the registry subkey:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
   
   
10. May add the value:
    
    {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
    
    to the registry subkey:
    
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURLSearchHooks
    
    to hijack Internet Explorer Address bar searches.
    
    
11. May also create the following registry subkeys
    
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftjkhwk
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftluuld
    
    
12. Downloads and installs some additional components, which includes the Rootkit component.
    
    
13. Creates the following files:
    
    
    • %System%[RANDOM NAME]aa.dll
    • %System%[RESERVED DOS NAME].[RANDOM EXT]
    • %Windir%[RESERVED DOS NAME].[RANDOM EXT]
      
      Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
      
      
14. May store the above files inside the following Alternate Data Streams (ADS):
    
    
    • %System%:[RANDOM NAME]aa.dll
    • C:[RANDOM NAME]aa.dll
    • %System%:[RESERVED DOS NAME].[RANDOM EXT]
    • C:[RESERVED DOS NAME].[RANDOM EXT]
      
      Note: [RESERVED DOS NAME] can be one of the following reserved DOS device names:
      
      
    • com[NUMBER]
    • lpt[NUMBER]
    • tty
    • prn
    • nul
    • con
    • aux
      
      Where [NUMBER] is a number between 1 and 9.
      
      
15. Uses Rootkit techniques to hide its files and registry subkeys.
    
    
16. Adds a new administrator account on the compromised computer using a random user name.
    
    
17. May lower the privileges of the current logged user in order to disable the functioning of some security-related software.
    
    
18. Creates the following encrypted files associated to the new administrator account and stores them using the Windows Encrypted File System (EFS):
    
    
    • %CommonProgramFiles%System[RANDOM LETTERS].exe
    • %CommonProgramFiles%Microsoft Shared[RANDOM LETTERS].exe
    • %CommonProgramFiles%Services[RANDOM LETTERS].exe
      
      Note: %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:Program FilesCommon Files.
      
      
19. Creates a registry subkey and a system service associated with the new administrator account:
    
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[RANDOM NAME]
    
    Where [RANDOM_NAME]is a string composed by mixing a substring of a legitimate service name present on the compromised machine with other random letters.
    
    Example of service names generated by the Trojan:
    
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecQty
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWebYpz
    
    
20. Attempt to download the following file:
    
    %ProgramFiles%LinkOptimizerlinkoptimizer.dll
    
    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:Program Files.
    
    
21. Displays advertisements.
    
    
22. May use SNMP queries to gather machine information.
    
    
23. Functions as a dialer and attempts to dial high-cost numbers if a modem is present on the compromised machine.
    
24. May prevent the execution of security and anti-rootkit programs that contain the following strings in the file description or properties:
    
    • avzantivirus
    • svv
    • avz
    • antihook
    • blacklight
    • gromozon
    • gmer
    • prevx
    • rootkit
    • sophosant-rootkit
    • rootkitrevealer
    • icesword
    • avganti-rootkit
    • rootkituncover
    • sophosanti-rootkit
    • clrav
    • avzanti-virus
      
25. Attempts to block Internet connections to domains which contain any of the following strings:
    
    • wilderssecurity.
    • castlecops.
    • suspectfile.
    • antispywareremoval.
    • pctools.
    • paretologic.
    • scan-it-clean-it.
    • trojaner-board.
    • prevx.
    • pcalsicuro.
    • 2-spyware.
    • protecus.
    • hwupgrade.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan.
3. Submit the files to Symantec Security Response.

For specific details on each of these steps, read the following instructions.

1. To update the virus definitions
A generic detection can often occur if the antivirus program discovers a threat, but does not have the latest definitions. In these cases, you should download the latest definitions, then run the scan again.

The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the document: Virus Definitions (Intelligent Updater). The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

2. To scan for the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
   • For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
2. Run a full system scan.
3. If the files previously detected as generic are now detected as another threat, please read the threats writeup for removal instructions.
4. If the files are still detected as this generic threat, continue with the next step.

3. To submit the files to Symantec Security Response
Symantec Security Response suggests that you submit any files that are detected as generic to Symantec Security Response. For instructions on how to do this, read the following documents:

• Norton AntiVirus: How to submit a file to Symantec Security Response using Scan and Deliver
• Symantec AntiVirus Corporate Edition and Norton AntiVirus Corporate Edition: How to submit a file to Symantec Security Response using Scan and Deliver.