Trojan:Win32/Wantvi.F.dr is a trojan that displays fake alerts regarding spyware infections in order to encourage the affected user to download and install an arbitrary file. It also modifies a number of Internet and security settings, and drops and executes a copy of
Trojan:Win32/Wantvi.F.
Installation
Trojan:Win32/Wantvi.F.dr runs from its existing location.
It uses a mutex of {432780427656663764673647663354632} to prevent more than one copy from running at a time.
The Trojan drops a DLL to <system folder>\users32.dat and executes it. This file is detected as Trojan:Win32/Wantvi.F.
Payload
Displays Popups; Downloads and Executes Arbitrary Files
Once installed, the trojan periodically displays the following popup message:
Should the user click on this popup, the trojan downloads a file from softcashier.com, saves it to <system folder>\winivstr.exe, and then executes this file. At the time of publication, this file was part of the TrojanDownloader:Win32/Winreanimator family.
Disables Security Center Alerts
Trojan:Win32/Wantvi.F.dr makes the following registry modifications:
Under keys:
HKLM\Software\Microsoft\Security Center\
HKCU\Software\Microsoft\Security Center\
Sets value: AntiVirusDisableNotify
With data: 1
Sets value: FirewallDisableNotify
With data: 1
Sets value: UpdatesDisableNotify
With data: 1
These settings prevent alerts from being displayed if any of the system’s antivirus, firewall, or windows update services are disabled.
Disables Browser Helper Objects
The malware disables existing Browser Helper Objects by deleting all subkeys and values from the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Disables Firewall
The malware attempts to disable the Windows firewall by making the following registry modifications.
Under keys:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKLM\ SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: “EnableFirewall”
With data: 0
Modifies Internet Explorer Start and Search Pages
The malware changes Internet Explorer’s Start and Search pages by making the following registry modifications:
Under key: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Enable Browser Extensions"
With data: "yes"
Sets value: "Default_Search_URL"
With data: "http://www.google.com/ie”
Sets value: "Search Bar"
With data: "http://www.google.com/ie”
Sets value: "Search Page"
With data: "http://www.google.com”
Sets value: "Start Page"
With data: "http://www.google.com”
Under key: HKLM\Software\Microsoft\Internet Explorer\Search
Sets value: "SearchAssistant”
With data: http://www.google.com
Modifies Internet Security Settings
Trojan:Win32/Wantvi.F.dr makes the following registry modifications:
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\
Sets value: "1200"
With data: 0
Sets value: "1201"
With data: 0
Sets value: "1208"
With data: 0
Sets value: "1608"
With data: 0
Sets value: "1804"
With data: 1
Sets value: "2500"
With data: 3
The above changes are also replicated in the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\
These have the following effects for web sites in any Internet zone:
- Allow running of ActiveX Controls and Plug-ins
- Allow Initialization and scripting of ActiveX controls not marked as safe for scripting
- Allow previously unused ActiveX controls to run without prompt
- Allow META REFRESH (enables the author of a Web page to redirect your browser to another Web page after a specified amount of time)
- Allow (with a prompt) launching of programs and files in an IFRAME.
- Disable Vista Protected Mode for Internet Explorer (see http://windowshelp.microsoft.com/Windows/en-US/Help/95211ecc-19b5-439a-b6c5-e2aefd8013031033.mspx)
It also changes proxy settings by making the following registry modifications:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Sets value: "MigrateProxy"
With data: 1
Sets value: "ProxyEnable"
With data: 0
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: 1
Sets value: "IntranetName"
With data: 1
Sets value: "UNCAsIntranet"
With data: 1
Analysis by David Wood
