CNN.com Daily Top 10 Description

CNN.com Daily Top 10 is a spam email created to download and install Trojan-Downloader.Agent.EL onto the user’s computer system. Once the user receives CNN.com Daily Top 10 email, he/she will believe it’s a legitimate email sent by CNN.com and will open it. CNN.com Daily Top 10 email contains the top ten stories of the day, however, none of the links provided redirect the user to any top story. If the user clicks on any of the links, he/she will be redirected to a website where a screen may display a message stating that the user needs the latest Flash player version to be able to see the site.

Once the user downloads the update, he/she will be downloading Trojan-Downloader.Agent.EL disguised as the get_flash_update.exe file. The Trojan-Downloader.Agent.EL will open a conduit in the user’s computer through which additional malware and rogue anti-spyware programs will be downloaded and installed. The most common rogue installed by Trojan-Downloader.Agent.EL is Antivirus XP 2008.

In addition, the user’s desktop background and screensaver may be hijacked. The user’s desktop may display a rogue alert notification stating that the user’s computer in flooded with spyware and the screensaver may switch to SysInternals BlueScreen Screen Saver. These malicious mechanisms may cause a crash in the computer’s operating system which will finally lead to a Blue Screen of Death (BSOD). The BSOD message may read:

“PAGE_FAULT_IN_NONPAGED_AREA
PANIC_STACK_SWITCH
MAXIMUM_WAIT_OBJECTS_EXCEEDED
NO_MORE_IRP_STACK_LOCATIONS
BAD_POOL_HEADER
IRQL_NOT_LESS_OR_EQUAL
KMODE_EXCEPTION_NOT_HANDLED
BOGUS_DRIVER
SYSINTERNALS_GREAT_SITE
UNEXPECTED_KERNEL_MODE_TRAP”

Trojan-Downloader.Agent.EL downloads may cause fake popups and system alert messages that interfere with the user’s workflow. Trojan-Downloader.Agent.EL is also known to modify the user’s Windows Registry.

Type: Trojans

How Can You Detect CNN.com Daily Top 10?

CNN.com Daily Top 10 has typically the following processes in memory:

• c:\WINDOWS\system32\lphcjkrj0etfg.exe
• c:\Program Files\rhcnkrj0etfg\Uninstall.exe
• c:\Program Files\rhcnkrj0etfg\msvcp71.dll
• c:\WINDOWS\system32\pphcjkrj0etfg.exe
• c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
• c:\Program Files\rhcnkrj0etfg\MFC71.dll
• c:\WINDOWS\system32\CbEvtSvc.exe
• c:\WINDOWS\system32\drivers\54c70b2e.sys
• c:\Program Files\rhcnkrj0etfg\MFC71ENU.DLL
• c:\Program Files\rhcnkrj0etfg\msvcr71.dll

CNN.com Daily Top 10 creates the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\rhcnkrj0etfg
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54c70b2e
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “NoDispScrSavPage”
• HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\54c70b2e
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “SMrhcnkrj0etfg”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcnkrj0etfg
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “lphcjkrj0etfg”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “NoDispBackgroundPage”

Important Article Disclaimer