Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Malicious Code Alert

Trojan: Ozdok/Mega-D

 
Threat Type:IntelliShield: Malicious Code Alert
IntelliShield ID:18233
Version:1
First Published:2009 May 22 19:23 GMT
Last Published:2009 May 22 19:23 GMT
Port: Not available
Urgency:Possible use
Credibility:Highly Credible
Severity:Mild Damage
Related Resources:
View related IPS Signature
 
 
Version Summary:

Trojan.Ozdok is a trojan that sends spam e-mail messages from infected systems.? Virus definitions are available.

 
Aliases/Variants

Variants are not available.

Virus Name:

Trojan.Ozdok

 

Description
 

Trojan.Ozdok is a?trojan that has no means of self-propagation and attempts to send spam e-mail messages from an infected system.? Systems infected?by Trojan.Ozdok?could become part of?a?large?spam network called the Mega-D botnet.

Trojan.Ozdok may arrive as one of the following files.

icf.exe
icf32.exe
cacglivn.exe
guyymgvl.exe
mm27nov.exe

When executed, the trojan installs and hides itself as an alternate data stream (ADS) in the Windows directory,?with a name similar to?the following:

%Windir%\system32\svchost.exe:exe.exe

The trojan adds a system service named ICF to ensure that the malicious code runs at system startup, and?modifies the system firewall to allow communication from the malicious svchost.exe.

The trojan attempts to connect to the following remote websites in order to download updates or e-mail lists:

  • uikkl.info
  • rixosspa.info
  • micralokp.biz
  • yankdream.info
  • blagoinc.info
  • aaauaa.info

The trojan then begins sending spam e-mail messages to recipients.


Impact
 

Trojan.Ozdok sends mass e-mail messages from an infected computer, which could consume system and network resources and spread additional malicious software.


Warning Indicators
 

The existence of the following files may indicate an infection:

icf.exe
icf32.exe
cacglivn.exe
guyymgvl.exe
mm27nov.exe

The presence of a system service called ICF may also indicate an infection.

Messages sent by, or containing the malicious code could contain the following text:

the best user-generated videos during 2006 in

Hello, Friends!

Giving and getting gifts is an absolute requisite of the holiday style.
Giving is more important than getting, so gratify your folks by buying
replicas of fashionable designer accesories for them!

Hurry up! The supply of these awesome goods is decreasing!


Technical Information
 

The trojan adds the following registry keys to ensure communication is not blocked by the system's software firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%System%\svchost.exe" =
"%System%\svchost.exe:*:Enabled:svchost"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\svchost.exe" =
"%System\svchost.exe:*:Enabled:svchost"

Upon execution, the trojan injects malicious code into a new svchost.exe process.? It then attempts to connect to the Mega-D botnet command-and-control servers via the following websites:

  • uikkl.info
  • rixosspa.info
  • micralokp.biz
  • yankdream.info
  • blagoinc.info
  • aaauaa.info


Communication with the command-and-control occurs via port 80; however, the HTTP protocol is not used.? Instead, the trojan communicates with the command-and-control using a non-standard encryption algorithm.

When a secure connection on port 80 is established, the trojan attempts to send a test e-mail message on port 25 of one of the command-and-control centers.

If successful, the trojan then downloads a spam template through the secure channel established on port 80 and sends spam e-mail messages to a list of e-mail addresses obtained from the command-and-control servers.


IntelliShield Analysis
 

Trojan.Ozdok uses infected systems to send spam e-mail messages on behalf of an attacker.? The trojan may also download additional software from the command-and-control servers, which could allow an attacker to send additional configuration information to the trojan, or adapt the malicious software for a different use.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan.? Rule-based firewalls are typically set up by an administrator for an entire network.? These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production.? Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network.? These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network.? Both types of firewalls may prevent malicious code from downloading updates or additional files.? The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.

Most host intrusion detection/prevention systems software can be configured to warn users when suspicious activity occurs on their systems.? This software can be configured to prevent this trojan from attempting to execute its infection routines.? Host intrusion detection/prevention systems software may also be configured to prompt a user when suspicious activity occurs.? Often users can choose whether to allow or deny the activity in question.? These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network.? User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.


Safeguards
 

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.

Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.

Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.

Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations only.

Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.

Provide initial and continuing education to all levels of users throughout the organization.

Users are advised not to open e-mail messages from untrusted sources. Users are advised to verify the authenticity of unexpected files from trusted sources.

Users are advised to use caution when downloading and installing software.


Patches/Software
 

The Symantec Security Response for Trojan.Ozdok is available at the following link: Security Response.? The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
16753/0Mega-DS4142009 Jul 14 
 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield