Threat behavior
Win32/Sanpec.gen!A is a generic detection for obfuscated samples of password-stealing trojans that target confidential data, such as account information, from the online games "QQ Fantasy Online", "Dream Journey To The West Online", and "Lineage 2".
Payload
Drops Other Malware
When run, Win32/Sanpec.gen!A drops the following files:
where <current folder> is the folder where Win32/Sanpec.gen!A is currently running.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the following registry entries to enable its dropped malware to run as services or to load when Windows starts:
Adds value: "ImagePath"
With data: "%temp%\pandrv.sys"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Pandrv
Adds value: "ImagePath"
With data: "<system folder>\rundll32.exe dbi100.dll, scan"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\seiuctol
Adds value: "AppInit_DLLs"
With data: "dicthelper.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Steals User Information
Win32/Sanpec.gen!A logs keystrokes to capture user account and password information for the following online games:
- QQ Fantasy Online
- Dream Journey To The West Online
- Lineage 2
The stolen user information is then sent to a specific Web server.
Avoids Detection
Win32/Sanpec.gen!A recovers hooks placed by AV Vendors in the System Service Descriptor Table (SSDT) to avoid being detected.
Additional Information
Analysis by Tim Liu
Prevention