February 27, 2012

Doctor Web—the Russian anti-virus vendor—warns users of the Trojan.Tenagour.9 malware. This Trojan horse is an advanced tool for criminals willing to carry out DDoS-attacks.

Trojan.Tenagour.9 consists of two components: the injector and the dynamic link library, which stores the payload. Once launched, the Trojan horse checks if its copy is already present in the system and if not, it saves its file as smss.exe, then adds its entry into the registry branch listing applications launched automatically.

Then Trojan.Tenagour.9 sends information about the OS version and type, computer name MD5-hash and the first partition's volume serial number to a remote server. A reply incorporates an encrypted string containing the URL of a target site and some auxiliary parameters. In addition, a remote command center may send an update command to the Trojan horse.

The Trojan horse uses GET and POST routines to mount 8 types of DDoS-attacks on a variety of Internet resources via TCP/IP and UDP. It can also add all links found on a targeted site to the list of target resources.

The Trojan horse's signature is added to the Dr.Web virus databases.