SHA1 8268508e964e02eec1bf45c5cce5bf988d44a9e3
The Trojan is distributed by means of Trojan.LoadMoney.336. It uses the following libraries:
- OpenSSL (1.0.1j),
- jsoncpp (most likely, some outdated version),
- std.
Internal name is “start_page” (version 3.12).
The Trojan serves the only purpose—to change the browser home page. This happens only if the current home page is specified by the command-line parameter.
Once launched, the malicious program checks command-line parameters. If the Trojan does not receive the command line, it reads parameters from the myfile%:args and %myfile%.args files. If the command line is received, the Trojan saves it to the mentioned files.
Once the command line is parsed, Trojan.LoadMoney.919 registers itself under a random name in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce registry branch and deletes %myfile%:Zone.Identifier. Next time the Trojan is launched, it reads all the necessary parameters from the file.
The malicious program can receive the following command-line parameters:
- spec—encrypted host list;
- url—link to be saved in the browser parameters as a replacement of the current home page; the link looks like http://***ru/?utm_content=****&utm_source=startpm&utm_term=$__MID, where the $__MID value is the computer ID (the value is saved with the “Start Page” name to HKCU\Software\Start Page);
- sha256—parameter hash that the Trojan checks while operating;
- install_url (optional);
- delay (optional);
- nowait (optional);
- nodelete (optional).