Win32/Horst is a collection of discrete trojan components that perform various tasks. The initial downloading component may be distributed passively via the eMule/eDonkey peer to peer network. The initial downloading component downloads and installs a second downloader component. This second downloader is responsible for installing the various other functional components of the Horst family. Many of the Horst components are associated with sending spam.
Installation
While functionally similar, the actual installation details of related variants of the Horst family may differ. The following installation example is fairly typical.
TrojanDownloader:Win32/Horst.I may be offered with a filename that infers that it is a software crack (for example “PDFIn PDF to DWG Converter 2008 crack0.exe”). When a user downloads and executes this file, the trojan injects itself into the ‘svchost.exe’ process and then downloads a file to %TEMP%\s[num]wt.exe (where [num] is a numeric string, for example 's2350wt.exe'). This downloaded file is the main downloading component and is detected as TrojanDownloader:Win32/Horst.H.
When executed, it copies itself to “%windir%\system\smvss.exe” and injects itself to the svchosts.exe process. The registry is then modified to ensure that this component is executed at each Windows start:
Adds value: " devenv"
With data: "%windir%\system\smvss.exe /w"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Once installed, this main component is used to download and install additional components that may then be used to perform different functions. These functions may include registering e-mail accounts with providers such as Google, AOL and Hotmail, sending spam and spreading via eDonkey/eMule P2P networks (see below for additional detail). Additional components are downloaded and executed from the %Temp% directory.
Spreads Via…
eDonkey/eMule P2P File Sharing Networks
One discrete Horst component is used to distribute the initial trojan downloader by offering it for download via the eDonkey/eMule P2P file sharing networks. The downloader may be offered under the guise of a software crack or key generator. For example, in the wild, the following filenames have been used for this component:
-
“PDFIn PDF to DWG Converter 2008 crack0.exe”
-
“DAEMON Tools 4.12 serial0 keygen0.exe”
-
“Norton Ghost 14 serial0 keygen0.exe”
Horst components may use the following eDonkey servers:
77.247.178.244
77.247.178.245
87.230.83.44
89.248.174.84
193.138.205.25
193.138.221.210
193.138.221.213
193.138.221.214
Payload
Sends Spam
Horst tries to send spam by manipulating different free online e-mail providers. The content of such spam is typically associated with online pharmacies.
Additional Information
Horst components may contact the following domains during their operations:
stat-run.com
hasteman.com
tateterop.com
upseek.org
statadd.com
zablen.com
medbod.com
Analysis by Scott Molenkamp
