Installation
This threat uses a random file name. It's found in a folder that has a partly random name - %ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}.
For example:
- %ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe
- %ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe
It also creates the following registry entries, so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random phrase>"
With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Beta Bot"
With data: "%ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome Browser"
With data: "%ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe"
It also creates the following registry entry, as part of its installation process:
in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "<random bytecode>"
For example:
in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "u^â..ny."
Payload
Changes your computer settings
This trojan hides files and folders that have the "system" attribute by changing the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Prevents some security processes from running
This trojan prevents some security processes from running by adding the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "dwrdsye_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "rj_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "cxsrjn_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "eivm_.exe"
Disables Protected Mode in Internet Explorer
This trojan disables the Protection Mode in Internet Explorer across all zones by changing the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "2500"
With data: "3"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "2500"
With data: "3"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "3"
Steals computer and account details
This trojan steals any stored user names and passwords, servers, and port connections from the following FTP programs, if they are installed in your PC:
- CoreFTP
- FileZilla
- FlashFXP
- FTP Commander
- Putty
- SmartFTP
- WinSCP
It might also steal your account details and contacts list for Skype.
It might also steal information about your computer, such as:
- Operating system
- Currently logged on user
- Software installed in your computer, especially security software
Allows backdoor access and control
This trojan might connect to remote servers to give a malicious hacker access to your PC. It tries connecting to the following servers:
- strike-file-hosting.us
- 188.190.99.224
Once connected, a malicious hacker could do the following to your PC:
- Download and run arbitrary files
- Upload files
- Send its stolen data
- Spread through removable drives
- Start or stop programs
- Delete files
Analysis by Elda Dimakiling