A multicomponent rootkit Trojan that, among other distribution methods, exploits the CVE-2012-4681 vulnerability in Java. The dropper is equipped with anti-debugging features.
Once it penetrates a computer, the dropper saves the Trojan's core module with the %s-%u.exe name mask to %TEMP%. For example, the module can be saved under the 5aAAA-9.exe name, at the beginning of which is a random string of characters (from 4 to 8) followed by the Trojan's ID (%u) that is also used in search queries generated by the malware.
If the Trojan has sufficient privileges, it infects the %systemroot%\system32\drivers\fastfat.sys driver to conceal the presence of the core module in the system. To acquire elevated privileges, the malware exploits OS vulnerabilities. The Trojan disables UAC in both 32-bit and 64-bit versions of Windows. It can also change Firefox and Internet Explorer settings. For the latter, the Trojan installs an additional search plug-in (search.xml) in the \searchplugins\ folder modifying the settings of the default search engine using prefs.js. As a result, all search queries sent from the infected system look as follows: http://findgala.com/?&uid=%d&q={search query}, where %d stands for the Trojan's unique identifier.
The malicious program modifies %systemroot% \system32\drivers\etc\hosts as follows:
- 64.27.10.42 www.google-analytics.com.
- 64.27.10.42 ad-emea.doubleclick.net.
- 64.27.10.42 www.statcounter.com.
- 108.163.215.51 www.google-analytics.com.
- 108.163.215.51 ad-emea.doubleclick.net.
- 108.163.215.51 www.statcounter.com.
The core module serves the purpose of intercepting traffic on the compromised computer.