TSPY_MIUREF.K

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded from remote sites by other malware.

It does not have any propagation routine.

It does not have any backdoor routine.

It connects to certain websites to send and receive information.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from remote site(s) by the following malware:

• JS_NEMUCOD.KXYZ
• JS_NEMUCOD.XYZD

Installation

This spyware drops the following copies of itself into the affected system:

• %AppDataLocal%\{random folder name}\{malware file name}.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %AppDataLocal%\{random folder name}\{GUID}

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %AppDataLocal%\{random folder name}

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Malware Generated GUID}

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random folder name} = "%AppDataLocal%\{random folder name}\{malware file name}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%System%\regsvr32.exe %AppDataLocal%\{random folder}\{random file name}.dll" <-Created autostart for component

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\{name based on random folder}

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\{name based on random folder}
{GUID} = "{hex value data}"

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Download Routine

This spyware saves the files it downloads using the following names:

• %AppDataLocal%\{random folder name}\{random file name}.dll
• %AppDataLocal%\{random folder name}\{random file name}.txt
• %AppDataLocal%\{random folder name}\{random file name}.dat
• %AppDataLocal%\{random folder name}\{random file name}.idx
• %AppDataLocal%\{random folder name}\{random file name}.lck

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This spyware gathers the following data:

• Operating system version
• Device information
• System boot information
• Windows Management Instrumentation informations(BIOS,Video Controller,Display Configuration)
• Processor information

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

• http://www.microsoft.com

It connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.217.292:443
• {BLOCKED}.{BLOCKED}.4.68:443
• {BLOCKED}.{BLOCKED}.149.144:443
• {BLOCKED}.{BLOCKED}.80.172:443

It requires the following additional components to properly run:

• {Malware Path}\setup.dat
• %Application Data%\{random folder name 2}\{random}.dat

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It does the following:

• Downloads component/configuration/file
• Can install an extension for Chrome and insert an add-ons for Firefox(this can include click fraud)
• Receives information for redirection and new connections from C&C servers
• Reports infection of machine(GUID and Computer name)