Win32.Sced.C (Ca.com)

Description Published: September 2, 2004
Description Modified: September 2, 2004

Characteristics

Category: Win32
Also known as: Downloader-MB (McAfee),
Win32/Sced.A.Trojan, TrojanDownloader.Win32.Small.rk (Kaspersky)

Description

Win32.Sced.C is a configurable trojans that interferes with Internet Explorer. It has been distributed as a 36,376-byte, UPX-packed, Win32 executable.

Method of Infection

When executed, Win32.Sced.C copies itself to %System%mcc.exe and creates the following registry value so that it runs on Windows start:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunMultimedia Codecs = ˝%System%mcc.exe˝

Note: ´%System%´ is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.

Sced.C also registers itself as a service process.

Payload

Sced.C initially contacts a site on the 3uz.net domain and downloads a configuration file
to %Temp%links.tmp. It copies information from this file to the registry (see Additional Information section below).

The trojan searches for open Internet Explorer windows. If found, the trojan opens up other windows linking to porn sites. The trojan can also be instructed to download and execute new versions of itself.

The configuration file specifies the following:

- which file to download
- which sites to browse to
- the delay between new windows being opened
- how to open each link (new window, in current window, etc)

Additional Information

Sced.C creates the following registry key and values to store its configuration details:

HKCUSoftwareMedia Codecs
HKCUSoftwareMedia CodecsTotal
HKCUSoftwareMedia CodecsDelay
HKCUSoftwareMedia CodecsRun
HKCUSoftwareMedia CodecsLastIndex
HKCUSoftwareMedia CodecsStartTime
HKCUSoftwareMedia CodecsLink
HKCUSoftwareMedia CodecsGoType

Analysis by Matthew McCormack