Trojan.PWS.Panda.2395 distributed via peer to peer network

"Doctor Web": Trojan.PWS.Panda.2395 distributed via peer to peer network

The company "Doctor Web" informs users of the distribution through peer to peer networks Trojan.PWS.Panda.2395 several malicious programs that use a very interesting mechanism to infect computers.

These programs are capable of massive DDoS-attacks and send spam.

Infection of the victim's computer by using the widespread Trojan Trojan.PWS.Panda.2395. In the first stage of infection by Trojan-supported peer to peer network to a PC victims downloaded the executable file that is encrypted malicious module. After successfully decrypt it launches another module that reads the image in computer memory or other malicious applications detected by Dr.Web anti-virus software as one of the members of the family Trojan.DownLoader.

The program is saved to a user account as an executable file with a random name, and then modifies the registry Windows, to give yourself the ability to automatically run along with the operating system loads.


A very interesting algorithm used by the Trojan to download the infected computer other malware. In the body of this modification has Trojan.DownLoader encrypted list of domain names to which the loader so requests over HTTPS. In response, the Trojan gets the main web pages are on the Website and parses its HTML-structure in the search for the tag to insert a picture <img src="data:image/jpeg;base64…>. The argument of the tag such web pages contain encrypted malicious file, which is extracted from html-document, decrypted, and depending on the command received or trying to fit into a pre-launched the Trojan process svchost.exe, or saved to a temporary folder. addition, directly from the body of the loader decrypted DDoS-module and a list of addresses for next attack, then the image of this malware is configured directly in its process.

After successfully downloading the DDoS-module generates up to eight independent threads that begins continuously sending POST-requests to the server from a stored list of Trojan downloader, and trying to connect with a number of servers via SMTP, and then sends them to the random data. Total list contains 200 selected as a target for DDoS-attack sites, some of which are known resources such as a portal love.com, owned corporation America On-Line, sites of several major U.S. universities, as well as portals msn.com, netscape.com and others.

But this functional Trojan downloader is not restricted. From the list of domains for DDoS-attacks it with a special algorithm selects one and sends it HTTP-request and receive in return a Web page. Among the contents of the website Trojan also attempts to find the tag to insert a picture img src = "data: image ..., as the argument is an array of recorded data that was encrypted using the algorithm base-64.

After decoding extracted from web pages are converted into data file disguised as an image format JPEG. This file also keeps a container whose contents are compressed with gzip. Finally, the archive is extracted malware BackDoor.Bulknet.739, which is a backdoor Trojan which has functionality for mass spamming.

The signatures of all these malicious programs added to the Dr.Web virus database and therefore do not constitute a danger to users of antivirus products "Doctor Web".