Installation
When it runs, this trojan drops a copy of itself using a random file name on your PC. The copy is in a subfolder of your %AppData% subfolder, for example:
It makes sure that this copy runs every time you start Windows by adding the following run command in your system registry:
In subkey: HKCU\Software\Mirosoft\Windows\CurrentVersion\Run
Sets value: "{GUID of your Windows volume}"
With data: "<malware file name>"
It tries to avoid being detected by your security software by injecting code into programs that are currently running with your security privileges (so that, for example, if your account is an Admininstrator account, this trojan then has the potential to run with adminstrator privileges). If it's unable to inject code into these processes, it tries to inject the code instead into all user-level processes (which might have lower privileges than the account you have).
Spreads via...
Remote desktop services (RDS)
This trojan can spread to other PCs if your PC is connected to others in the network via Remote Desktop Services (RDS). If your PC is running RDS, this trojan tries to drop a copy of the trojan in the folder <startup folder> in the other PC for every available RDS session.
Payload
Steals sensitive information
This trojan hooks the following Windows system APIs to gather sensitive data from your PC, like login credentials for online bank accounts, email credentials, and network information:
- In the file NSPR.DLL:
- PR_OpenTCPSocket
- PR_Close
- PR_Poll
- PR_Read
- PR_Write
- In the file NTDLL.DLL:
- ZwCreateThread
- LdrLoadDll
- In the file KERNEL32.DLL:
- In the file WININET.DLL:
- HttpSendRequestW
- HttpSendRequestA
- HttpSendRequestExW
- HttpSendRequestExA
- InternetCloseHandle
- InternetReadFile
- InternetReadFileExA
- InternetQueryDataAvailable
- HttpQueryInfoA
- InternetSetStatusCallbackW
- InternetSetStatusCallbackA
- InternetSetOptionA
- In the file WS2_32.DLL:
- closesocket
- send
- WSASend
- recv
- WSARecv
- In the file GDI32.DLL:
- OpenInputDesktop
- SwitchDesktop
- DefWindowProcW
- DefWindowProcA
- DefDlgProcW
- DefDlgProcA
- DefFrameProcW
- DefFrameProcA
- DefMDIChildProcW
- DefMDIChildProcA
- CallWindowProcW
- CallWindowProcA
- RegisterClassW
- RegisterClassA
- RegisterClassExW
- RegisterClassExA
- In the file USER32.DLL:
- BeginPaint
- EndPaint
- GetDCEx
- GetDC
- GetWindowDC
- ReleaseDC
- GetUpdateRect
- GetUpdateRgn
- GetMessagePos
- GetCursorPos
- SetCursorPos
- SetCapture
- ReleaseCapture
- GetCapture
- GetMessageW
- GetMessageA
- PeekMessageW
- PeekMessageA
- TranslateMessage
- GetClipboardData
- In the file CRYPT32.DLL:
Once it has hooked these APIs, the trojan steals the following sensitive information from your PC:
- Cached user names and passwords
- Digital certificates
- Internet Explorer cookies
It also logs keystrokes and takes snapshots of the activities on your PC. Captured data is sent to a predefined FTP or email server, specified in the downloaded configuration file (see below), and is sent to a remote attacker.
Lowers Internet Explorer security
This trojan lowers Internet Explorer's security settings by changing the following settings in the registry:
- Disables phishing filtering:
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"
- Disables system behavior to remove expired Internet Explorer browser cookies:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"
- Lowers Internet Explorer Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"
Lowers Firefox security
This trojan might change settings for Mozilla Firefox, including the following:
- Disabling the clearing of Internet cookies
- Disabling warning messages that are displayed when viewing mixed secure and unsecure web pages
- Disabling warning messages that are displayed when submitting data to unsecure pages
- Downloading configuration data
Lets a hacker access and control your PC
Earlier variants of this trojan downloaded a configuration file from a remote server (for example, dairanet.cn). Newer variants of this malware generate a list of up to 1020 pseudo-randomly named domains that they try to connect to. If a trojan successfully connects to a domain, it downloads a configuration file. The list of domain names that are generated are based on the system date and time, and have one of these suffixes:
- .biz
- .com
- .info
- .net
- .org
The downloaded configuration file contains data used by this trojan, for example:
- URL from which it downloads its code updates
- URL from which additional configuration data files can be downloaded
- URL of targeted online banks
- What version of the bot builder was used to create this trojan
- HTML and JavaScript code for parsing target web pages
Depending on the information in the downloaded configuration data file, some variants of this trojan might:
- Restart or shut down your PC
- Remove or update itself from your PC
- Enable or disable HTTP injection, which is a type of attack in which malicious code is injected into HTTP pages
- Look through your files and folders
- Delete files and folders
- Log off the current user
- Run a program
- Steal Internet Explorer browser cookies
- Steal or delete certificates
- Block or unblock access to certain websites
- Set the Internet Explorer home page
- Steal FTP and email credentials stored in your PC
Analysis by Zhitao Zhou