New Version of “Ilomo (Ilomo!IK) Trojan” Not Detected From Most Of Protection Systems (Include Manual Removal)

July 8, 2009 by admin
Filed under Removal Tips,Tools and Videos, Security News

Title: Ilomo
Type: Trojans	Severity scale: (45 / 100)

a new version of Ilomo trojan and its not detected yet, We upload the trojan file to virus total and got this report:

File service.exe received on 2009.07.08 00:49:38 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.18	2009.07.07	Trojan.Win32.Ilomo!IK
AhnLab-V3	5.0.0.2	2009.07.07	-
AntiVir	7.9.0.204	2009.07.07	-
Antiy-AVL	2.0.3.1	2009.07.07	-
Authentium	5.1.2.4	2009.07.07	-
Avast	4.8.1335.0	2009.07.07	-
AVG	8.5.0.386	2009.07.08	-
BitDefender	7.2	2009.07.08	-
CAT-QuickHeal	10.00	2009.07.07	(Suspicious) – DNAScan
ClamAV	0.94.1	2009.07.07	-
Comodo	1538	2009.07.02	-
DrWeb	5.0.0.12182	2009.07.08	-
eSafe	7.0.17.0	2009.07.07	-
eTrust-Vet	31.6.6602	2009.07.08	-
F-Prot	4.4.4.56	2009.07.07	-
F-Secure	8.0.14470.0	2009.07.08	-
Fortinet	3.117.0.0	2009.07.03	-
GData	19	2009.07.08	-
Ikarus	T3.1.1.64.0	2009.07.08	Trojan.Win32.Ilomo
Jiangmin	11.0.706	2009.07.07	-
K7AntiVirus	7.10.786	2009.07.07	-
Kaspersky	7.0.0.125	2009.07.08	-
McAfee	5669	2009.07.07	-
McAfee+Artemis	5669	2009.07.07	-
McAfee-GW-Edition	6.8.5	2009.07.07	-
Microsoft	1.4803	2009.07.07	-
NOD32	4222	2009.07.07	-
Norman	6.01.09	2009.07.07	-
nProtect	2009.1.8.0	2009.07.07	-
Panda	10.0.0.14	2009.07.07	-
PCTools	4.4.2.0	2009.07.07	-
Prevx	3.0	2009.07.08	-
Rising	21.37.14.00	2009.07.07	-
Sophos	4.43.0	2009.07.08	-
Sunbelt	3.2.1858.2	2009.07.07	-
Symantec	1.4.4.12	2009.07.08	-
TheHacker	6.3.4.3.363	2009.07.08	-
TrendMicro	8.950.0.1094	2009.07.07	-
VBA32	3.12.10.7	2009.07.08	-
ViRobot	2009.7.7.1822	2009.07.08	-
VirusBuster	4.6.5.0	2009.07.07	-

Additional information
File size: 509440 bytes
MD5…: 806b6e935eaa8923427408be5b1e11bf
SHA1..: e640681e1704941cd8ca02bc93fc45905868f069
SHA256: 88901a193da2c24412e78d57be0df3e3a147a142d3b565e9be3f7563bf7db790
ssdeep: 12288:LIFZ7RSkZQTjLyP35ZKGdbFKNdBOER8×9HzogQy+:LIMkqTjM5jdbKt6Hx
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×1f82 timedatestamp…..: 0×43517510 (Sat Oct 15 21:30:56 2005) machinetype…….: 0×14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×27a8 0×2800 6.80 e24411d0d235db6a8e6edb6174eda970 .rdata 0×4000 0xc4a 0xe00 4.67 22f7a9b4c70d2946d76ecb83bad3bfee .reloc 0×5000 0×6c160 0×6c200 8.00 eeea2f2f2b52b4dc9532237f9e7dcf1b .bss 0×72000 0xc812 0xca00 6.57 7343c2addd9950b0be066b8251e804f2 ( 8 imports ) > WININET.dll: InternetGetConnectedState, InternetReadFile, InternetCrackUrlA, GopherCreateLocatorA, InternetSetStatusCallback, HttpSendRequestA, InternetQueryOptionA, HttpOpenRequestA, HttpSendRequestExA, FtpCreateDirectoryA, FtpRemoveDirectoryA, InternetCloseHandle, InternetQueryDataAvailable, InternetWriteFile, HttpEndRequestA, InternetCanonicalizeUrlA, HttpAddRequestHeadersA, HttpSendRequestW > WS2_32.dll: -, -, -, - > KERNEL32.dll: LoadLibraryA, GetDateFormatW, lstrcatW, VirtualAlloc, GetFileSize, CreateDirectoryW, LocalFree, GetTickCount, CreateFileW, GetProcAddress, GetTimeFormatW, Sleep, MultiByteToWideChar, GetLastError, GlobalFree, QueryPerformanceCounter, GetModuleHandleW, SetEndOfFile, GlobalAlloc, GlobalLock, lstrcmpW, GetProfileIntW, GetThreadLocale, GetCurrentProcessId, GetModuleHandleA > USER32.dll: DefWindowProcW, LoadMenuW, UpdateWindow, DestroyWindow, MapWindowPoints, SetRectEmpty, GetClientRect, EnableWindow, GetSysColor, GetDesktopWindow, DeleteMenu, WinHelpW, PeekMessageW, GetDlgItemInt, RegisterClassExW, GetSubMenu, GetSystemMetrics, IsClipboardFormatAvailable, KillTimer, SetCapture, MessageBeep, EqualRect, DeferWindowPos, SetClassLongW, GetWindowLongW, GetDlgItem, GetWindow, SetTimer, MessageBoxW, SetCaretPos, PostQuitMessage, ModifyMenuW, InvalidateRect, EndPaint, IsWindow, GetMenuItemInfoW, SetWindowTextW, GetProcessDefaultLayout, PtInRect, DestroyMenu, GetWindowPlacement, FillRect, ShowCaret > GDI32.dll: CreateBitmap, GetDIBits, Ellipse, SelectPalette, StretchBlt, SetROP2, EndDoc, PatBlt, GetTextExtentPoint32W, CreatePalette, SelectClipRgn, GetTextMetricsW, CreateCompatibleDC, RealizePalette, EnumFontFamiliesW, SetBkColor, SetBkMode, SetViewportOrgEx, GetPixel, Polyline, CreateICW > COMDLG32.dll: ReplaceTextA > ADVAPI32.dll: RegCloseKey > OLEAUT32.dll: -, -, -, -, - ( 0 exports )
PDFiD.: -
RDS…: NSRL Reference Data Set -
packers (Kaspersky): PE_Patch

Ilomo is a trojan that injects a malicious code into Internet Explorer in order to silently download from the Internet and execute arbitrary files. Some of them appear to be harmful and dangerous. Ilomo can get into the system while visiting some insecure web sites.

Ilomo Properties:

The file name of the trojan is “service.exe” .

• Connects itself to the internet
• Hides from the user
- The Trojan copy itself at “C:\Documents and Settings\”User”\Application Data”.
- The Trojan create start up record for its exe file (you can see it in MSCONFIG).
• Stays resident in background and run the iexplore.exe to reach the internet and download harmful software.