Analysis by: Mark Joseph Manahan

ALIASES:

Mal/RufTar-C (Sophos) ,Trojan horse PSW.Generic10.BNGG (AVG) ,W32/ZBOT.CDL!tr (Fortinet) ,W32/Usteal.C.gen!Eldorado (generic, not disinfectable) (Fprot) ,Trojan-Spy.Win32.Usteal (Ikarus) ,HEUR:Trojan.Win32.Generic (Kaspersky) ,Trojan:Win32/Ransom.FO (Microsoft) ,PWS-FAPK!83050FBF1095 (McAfee) ,probably a variant of Win32/Spy.Usteal.C trojan (Eset) ,Trojan-Spy.Win32.Usteal.da (v) (Sunbelt)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This USTEAL variant drops a ransomware detected as TROJ_RANSOM.SMAR, which is created by a new toolkit builder.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 77,824 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 23 Apr 2014
Payload: Connects to URLs/IPs, Steals information, Drops files

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware adds the following folders:

  • {Malware Path}\ufr_reports

It drops and executes the following files:

  • %User Temp%\222.exe - detected as TROJ_RANSOM.SMAR

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • UFR3

Information Theft

This spyware gathers the following data:

  • System Information

Stolen Information

This spyware saves the stolen information in the following file:

  • {Malware Path}\ufr_reports\report_{dd-mm-yyyy}_{System IDs}-{random}.bin

Drop Points

Stolen information is uploaded to the following websites:

  • {BLOCKED}.{BLOCKED}i.esy.es

Other Details

This spyware connects to the following URL(s) to get the affected system's IP address:

  • http://whatismyip.akamai.com
  • http://whatismyip.everdot.org/ip
  • http://whatismyip.org

NOTES:

It attempts to steal stored account information of the following installed FTP clients or File Managers:

  • WS_FTP
  • SmartFTP
  • CoreFTP
  • FileZilla
  • FlashFXP
  • Far
  • Total Commander
  • WinSCP

It also attempts to steal stored email credentials:

  • The Bat!
  • IncrediMail
  • SeaMonkey
  • Thunderbird

This spyware attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:

  • Internet Explorer
  • Opera
  • Chromium-based
  • FireFox
  • Safari

This spyware attempts to retrieve stored information such as user names and passwords from the following instant messenger:

  • Mail.Ru Agent
  • ICQ
  • Miranda
  • Psi
  • Google Talk
  • QIP 2005
  • Live Messenger
  • Pidgin
  • QIP Infium
  • MSN Messenger

This spyware attempts to retrieve stored information such as user names and passwords from the following games:

  • World Of Tanks
  • Full Tilt Poker
  • Poker Stars

This spyware attempts to retrieve stored information such as user names and passwords from the following Windows applications:

  • RDP
  • Windows RAS

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 10.744.03
FIRST VSAPI PATTERN DATE: 23 Apr 2014
VSAPI OPR PATTERN File: 10.745.00
VSAPI OPR PATTERN Date: 24 Apr 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by TSPY_USTEAL.USRJ. (Note: Please skip this step if the threat(s) listed below have already been removed.)

Step 3

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.  
  • {Malware Path}\ufr_reports

Step 4

Scan your computer with your Trend Micro product to delete files detected as TSPY_USTEAL.USRJ If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.