TrojanDownloader.Win32.Checki
Details
TrojanDownloader.Win32.Checkin
Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.
The trojan file sizes are of the following approximate sizes:
“Checkin.a”: 50Kb
“Checkin.b”: 45Kb
The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:
“Checkin.a”:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SysReg = %SystemDir%\SysReg
“Checkin.b”:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
OWMngr = %SystemDir%\OWMngr.exe
It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system.
The trojan program also creates more registry keys:
HKCU\Software\IExplore Ads
AID
ID
LoggedIn
It uses these keys for its ‘internal’ needs.
Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.
The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:
“Checkin.a”: http://tp.searchseekfind.com
“Checkin.b”: http://ads.onwebmedia.com
At these locations the trojan uses the “Checkin.pl” file.
Related Posts