Win32/RuPass is a DLL component which may be utilized by adware or malicious programs in order to monitor an affected user's Internet usage and to capture sensitive information.
Win32/RuPass has been distributed as a 420,352 byte DLL file, with the file name 'ConnectionServices.dll'.
Installation
Win32/RuPass (as 'ConnectionServices.dll') is normally found in the %Program Files%\ConnectionServices folder, but it can be dropped to any other location on the affected system.
When loaded by a process Win32/RuPass tries to initialize a module found in the local directory. This module has the same file name as the dll but with the added suffix .upd, for example ConnectionServices.dll.upd.
Win32/RuPass registers itself as an IE Browser Helper Object (BHO) and exposes a COM type interface with a CLSID of '6D7B211A-88EA-490c-BAB9-3600D8D7C503'.
It makes the following registry modifications:
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503} = "ConnectionServices Class"
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\InprocServer32 = "<fully qualified path to the dll module>"
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\InprocServer32\ThreadingModel = "Apartment"
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\ProgID = "ConnectionServices.ConnectionServices.1"
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\Programmable
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\TypeLib = "{EF62EF34-7E5A-46ac-9383-1949547AF5D6}"
HKEY_CLASSES_ROOT\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\VersionIndependentProgID = "ConnectionServices.ConnectionServices"
HKEY_CLASSES_ROOT\ConnectionServices.ConnectionServices = "ConnectionServices Class"
HKEY_CLASSES_ROOT\ConnectionServices.ConnectionServices\CLSID = "{6D7B211A-88EA-490c-BAB9-3600D8D7C503}"
HKEY_CLASSES_ROOT\ConnectionServices.ConnectionServices\CurVer = "ConnectionServices.ConnectionServices.1"
HKEY_CLASSES_ROOT\ConnectionServices.ConnectionServices.1 = "ConnectionServices Class"
HKEY_CLASSES_ROOT\ConnectionServices.ConnectionServices.1\CLSID = "{6D7B211A-88EA-490c-BAB9-3600D8D7C503}"
HKEY_CLASSES_ROOT\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}
HKEY_CLASSES_ROOT\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}\1.0 = "ConnectionServices Library"
HKEY_CLASSES_ROOT\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}\1.0\0\win32 = "<fully qualified path to the dll module>"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503} = "ConnectionServices Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\InprocServer32 = "<fully qualified path to the dll module>"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\InprocServer32\ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\ProgID = "ConnectionServices.ConnectionServices.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\TypeLib = "{EF62EF34-7E5A-46ac-9383-1949547AF5D6}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}\VersionIndependentProgID = "ConnectionServices.ConnectionServices"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}\1.0 = "ConnectionServices Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EF62EF34-7E5A-46ac-9383-1949547AF5D6}\1.0\0\win32 = "<fully qualified path to the dll module>"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503} = "ConnectionServices module"
Payload
Monitors Web Browsing/Captures Sensitive Data
The BHO monitors and collects personal information when the affected user accesses the following domains:
my.begun.ru
promoforum.ru
seochase.com
mastertalk.ru
forum.searchengines.ru
searchengines.ru
armadaboard.com
umaxforum.com
crutop.nu
crutop.com
master-x.com
umaxlogin.com
rusawm.com
gof**kyourself.com
board.gof**kyourself.com
oprano.com
gfyboard.com
gfy.com
adultwebmasterinfo.com
bbs.adultwebmasterinfo.com
xbiz.com
boards.xbiz.com
nastraforum.com
webhostingtalk.com
searchengineforums.com
benedelman.org
webmasterworld.com
askdamage.com
namepros.com
castlecops.com
google.com/adsense/
Utilizing BHO functionality, the DLL also aids in collecting information for targeted advertising.
Analysis by Oleg Petrovsky
