Swatkat's rants

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 12 August 2007

XP Entertainments - New AV Killer Trojan

Posted on 04:27 by Unknown
XP Entertainments is probably a new variant of AvKiller trojan. As of now, only few AV's detect the malicious files.
The dropper - named U.exe - drops following files/folders:
\windows\system32\head.exe
\windows\system32\XPEntertainmentsUninstall.exe
\windows\system32\SoUI.dll
\program files\SoftPortal

Registry entries created by the trojan:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4748B0B3-B964-41C3-AE0A-F1345E0AC3C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\\\SoUI.dll"

[HKEY_CURRENT_USER\Software\SoftPortal]
"BasePath"="C:\\Program Files\\SoftPortal\\"

Above-mentioned files contain references to following malicious websites (Do NOT visit these sites):
http://xpsite.org/head/?wmid=3&pid=1
http://api.automaticavupdate.com/UI/v1.1/Soft/
http://api.automaticavupdate.com/UI/v1.1/
Last two links listed above redirect to www.expertantivirus.com, which is the home of rogue software - ExpertAntivirus.

The trojan also adds an Add/Remove Programs entry called XP Entertainments, as shown in below screen shot:


Following screen shot shows that SoUI.dll is injected into Explorer.exe's address space:


This trojan does not allow various AntiVirus and Firewall software - like ZoneAlarm, Outpost, Microsoft AntiSpyware - to run properly. These programs crash as soon as they are started! Following screen shot shows the fate of ZoneAlarm firewall:


More information about this trojan can be found here.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Ax Video Plugin
    Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Vide...
  • Spyware Guard 2008
    Spyware Guard 2008 is a new rogue application. Does that name sound familiar? Well, yes, there is a legitimate application named SpywareGuar...
  • Javacool EULAlyzer!
    Have you ever read those ultra-long EULA (End User License Agreement) pages while you are installing any software? I think no one will read ...
  • Zlob brings back fake MP3s!
    Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here ). Afterwards, we started to see m...
  • Myphonegames.co.uk hacked?!
    It seems that some pages of a mobile-phone games website www.myphonegames.co.uk have been hacked to execute malicious looking Javascript. A...
  • twitcurl - C++ twitter API library
    twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be upd...
  • DomPlayer - Rogue Multimedia Player
    DomPlayer is a new rogue multimedia player on the loose. The gang behind DomPlayer is making use of fake video files (available as torrents)...
  • Some new malware - a.exe, gop.exe etc
    We have some "new" malware this time, ranging from trojans to rootkits. One of them is a trojan which detected by some of the AVs ...
  • ThinkPoint rogue antivirus
    ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. ...
  • Removing Mailbot.AZ (aka Rustok.A) Rootkit
    Mailbot.AZ (also known as PE386 or Rustock.A) is a kernel mode rootkit backdoor virus. It contains only one file-its driver-and it is stored...

Categories

  • a.exe
  • Autohotkey
  • C++
  • fake mp3 downloads
  • gop.exe
  • NewMediaCodec
  • OAuth
  • Orkut hating virus
  • Privacy Protector
  • rootkit
  • SysProt AntiRootkit
  • TDSServ rootkit removal
  • twitCurl
  • twitter
  • Udefender
  • Ultimate Cleaner
  • vdo_
  • Zlob
  • Zlob rootkit

Blog Archive

  • ►  2013 (1)
    • ►  June (1)
  • ►  2010 (6)
    • ►  October (2)
    • ►  September (2)
    • ►  July (1)
    • ►  April (1)
  • ►  2009 (12)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (5)
  • ►  2008 (44)
    • ►  December (6)
    • ►  November (6)
    • ►  October (4)
    • ►  September (15)
    • ►  August (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (1)
    • ►  March (6)
    • ►  January (1)
  • ▼  2007 (38)
    • ►  December (1)
    • ►  November (2)
    • ►  October (9)
    • ►  September (2)
    • ▼  August (8)
      • ecard worm turns to YouTube
      • Vivacodec - Zlob's new fake codec
      • Windows system file patching by ecard rootkit
      • ecard changes its appearance and rootkit, again!
      • Fake MP3 download sites pushing Zlob malware
      • ecard.exe now becomes msdataaccess.exe
      • XP Entertainments - New AV Killer Trojan
      • Navipromo reloaded!
    • ►  July (11)
    • ►  June (3)
    • ►  March (2)
  • ►  2006 (6)
    • ►  September (1)
    • ►  August (2)
    • ►  May (1)
    • ►  February (2)
  • ►  2005 (30)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (5)
    • ►  August (11)
    • ►  July (6)
Powered by Blogger.

About Me

Unknown
View my complete profile