FANDOM


Trojan.Interrupdate is a low-risk trojan horse that was discovered June 8, 2009. It affects all existing Microsoft Windows operating systems and varies in its extension length. The only malicious thing it does besides drop files and slighty modify the Windows Registry is lower the security settings by "interupping" the updates, hence its name.

Operations

Once executed, the Trojan drops the following file and then deletes the original copy of itself:
%System%\NetFilter.exe (Trojan.Interrupdate)

The Trojan also drops the following nonmalicious files:

  • %System%\drivers\ndisrd.sys
  • %System%\ndisapi.dll


The Trojan creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSDRV" = "NetFilter.exe"

The Trojan creates a new service with the following characteristics:
NDISRD
%System%\drivers\ndisrd.sys
Automatic

It registers the service by creating the following registry subkeys:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDISRD
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDISRD

The Trojan then uses the nonmalicious files to sniff network traffic to lower security settings by blocking security-related updates.

Writeup

1