Win32.Secdrop.D (Ca.com)

Description Published: August 30, 2004
Description Modified: August 31, 2004

Category: Win32
Also known as: Win32/ChangeSecure.Trojan

Description

Win32.Secdrop.D is a trojan that is used to lower security settings in Internet Explorer by modifying the registry in order to download and install adware and related applications.

Payload

Modifies System Security Settings

When executed Secdrop.D tries to lower the security settings for each security zone by altering the following registry keys:

HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones1004 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones1201 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones11004 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones11201 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones21004 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones21201 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones31004 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones31201 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones31406 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones31A04 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41004 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41201 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41001 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41200 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41400 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41606 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones41607 = 0
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMapProtocolDefaultshttp = 0

Note: All of these keys can be restored by reverting to the default security levels in Internet Explorer. In order to reset your Internet Security settings in Internet Explorer:

1. Select Tools | Internet Options and then the Security tab of the dialog that appears
2. Ensure that the Internet icon is highlighted and then click the Default Level button
3. Click Apply and then Ok.

Finally, Secdrop.D opens a URL which attempts to download and install an array of pornography site toolbars and tracking cookies, etc. Please note however, that this could change if the data on the remote web server is updated.

Analysis by Paul Taylor