Installation
It can be installed on your PC from a spam email attachment.
We have seen it downloaded by TrojanDownloader:JS/Nemucod.
During installation, the malware will drop its main payload as a blob file in either of these registry keys:
- HKCU\software\<random_characters>, for example mpcjbe00f and fxzozieg
- HKLM\software\<random_characters>, for example oziyns8 and 2pxhqtn
This threat also drops a JavaScript code as a run key registry to start loading the blob file into memory at startup.
We have seen the JavaScript code being dropped in the following location:
- hklm\software\microsoft\windows\currentversion\run\
- hklm\software\microsoft\windows\currentversion\policies\explorer\run\
- hklm\software\wow6432node\microsoft\windows\currentversion\run\
- hklm\software\wow6432node\microsoft\windows\currentversion\policies\explorer\run\
- hkcu\software\microsoft\windows\currentversion\run\
- hkcu\software\classes\<random_chars>\shell\open\command\
The dropped Javascript registry key usually has the following format: "mshta javascript: …”.
This JavaScript loads the blob payload into memory and runs it at startup.
This threat also injects into legitimate processes. We have seen it inject in the following processes:
- explorer.exe
- iexplorer.exe
- regsvr32.exe
- svchost.exe
After installation, the threat removes the original installer from the disk.
Payload
Lowers Internet Explorer security settings
The malware modifies the following registry entries to lower your Internet Explorer security settings.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1400"
With data: “0”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1400"
With data: “0”
Steals your personal information
We have seen this threat send information about your PC to a remote hacker, including details about your PC:
- Operating system
- GUID
- Date and time zone
- Language
- Antivirus software
It can also detect specific tools used in your PC and sens the information to the remote hacker:
- JoeBox
- QEmuVirtualPC
- Sandboxie
- SunbeltSandboxie
- VirtualBox
- VirtualPC
- VMWare
- Wireshark
Uses your PC for click fraud
We have seen this threat silently visit websites without your consent to perform click fraud by clicking on advertisements; it does this by running several instances of Internet Explorer in the background.
Downloads updates and other malware
This threat can download and run files. It uses this capability to update itself to a newer version.
We have seen it download other malware recently:
- Trojan:Win32/Corebot
- Trojan:Win32/Eksor
Analysis by Duc Nguyen
