sobota 25. února 2012

TrojanSpy:Win32/Derusbi.A


Encyclopedia entry
Updated: Aug 24, 2011  |  Published: Aug 17, 2011

Aliases
  • TROJ_DLLSERV.BE (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.253.0
Released: Feb 23, 2012
Detection initially created:
Definition: 1.109.1419.0
Released: Aug 09, 2011


 

Summary

TrojanSpy:Win32/Derusbi.A is a trojan that steals sensitive information from an infected computer, and opens up a backdoor that allows an attacker to gain unauthorized access and control.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:

    <system folder>\msusbgub.dat
    <system folder>\drivers\{bc87739c-6024-412c-b489-b951c2f17000}.sys 
  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
    Sets value: "ServiceDll"
    With data: <system folder>\msusb<random>.dat"
     
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    Sets value: "Description"
    With data: "Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."
     
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    Sets value: "DisplayName"
    With data: "Automatic Updates"
     
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    Sets value: "ImagePath"
    With data: "%systemroot%\system32\svchost.exe -k netsvcs"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
    Sets value: "PendingFileRenameOperations"
    With data: "<malware file>.dll"
 


 

Technical Information (Analysis)

TrojanSpy:Win32/Derusbi.A is a trojan that steals sensitive information from an infected computer, and opens up a backdoor that allows an attacker to gain unauthorized access and control.
Installation
When executed, TrojanSpy:Win32/Derusbi.A copies itself to <system folder>\msusb<random>.datThe malware makes the following changes to the registry so that its copy is loaded as a service, with the display name "Automatic Updates" at each Windows start:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
Sets value: "ServiceDll"
With data: %Windows%\system32\msusb<random>.dat"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Description"
With data: "Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "DisplayName"
With data: "Automatic Updates"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "ImagePath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs"
 
The malware creates the following files on an affected computer:
 
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XPVista, and 7 is C:\Windows\System32.
 
Once this dropped file is loaded, TrojanSpy:Win32/Derusbi.A deletes it from the disk.
Payload
Steals sensitive information
TrojanSpy:Win32/Derusbi.A gathers sensitive information from the infected computer and posts this information to a remote server. It checks the registry, running processes, and queries the computer in order to gather this data. Derusbi.A has been observed gathering the following information from the computer:
  • User login name
  • I.P. address of computer
  • Version of Windows
  • IE Proxy Server settings
  • Installed Antivirus software names
  • User name and password for the system's default mail account, MSN and Outlook
  • Stored Internet Explorer Autocomplete usernames and passwords
Derusbi.A also logs keystrokes entered by the user into any active window on the computer. Logged data is saved to the file%Windows%\Temp\ziptmp$1.tmp21.
Contacts remote host
TrojanSpy:Win32/Derusbi.A may contact a remote host at three.911223.com using port 443.
 
Analysis by Amir Fouda

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.