WORM_PYBERTY.A

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• %System Root%\MSDcache\system\system.dll - This is log file that contains all mouse and keyboard activities of the user

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It drops the following non-malicious files:

• %User Temp%\_MEI{random numbers}\_ctypes.pyd
• %User Temp%\_MEI{random numbers}\_hashlib.pyd
• %User Temp%\_MEI{random numbers}\_socket.pyd
• %User Temp%\_MEI{random numbers}\_ssl.pyd
• %User Temp%\_MEI{random numbers}\_win32sysloader.pyd
• %User Temp%\_MEI{random numbers}\bz2.pyd
• %User Temp%\_MEI{random numbers}\Crypto.Cipher._AES.pyd
• %User Temp%\_MEI{random numbers}\mfc90.dll
• %User Temp%\_MEI{random numbers}\mfc90u.dll
• %User Temp%\_MEI{random numbers}\mfcm90.dll
• %User Temp%\_MEI{random numbers}\mfcm90u.dll
• %User Temp%\_MEI{random numbers}\Microsoft.VC90.CRT.manifest
• %User Temp%\_MEI{random numbers}\Microsoft.VC90.MFC.manifest
• %User Temp%\_MEI{random numbers}\msvcm90.dll
• %User Temp%\_MEI{random numbers}\msvcp90.dll
• %User Temp%\_MEI{random numbers}\msvcr90.dll
• %User Temp%\_MEI{random numbers}\pyexpat.pyd
• %User Temp%\_MEI{random numbers}\pyHook._cpyHook.pyd
• %User Temp%\_MEI{random numbers}\python27.dll
• %User Temp%\_MEI{random numbers}\pythoncom27.dll
• %User Temp%\_MEI{random numbers}\pywintypes27.dll
• %User Temp%\_MEI{random numbers}\select.pyd
• %User Temp%\_MEI{random numbers}\unicodedata.pyd
• %User Temp%\_MEI{random numbers}\win32api.pyd
• %User Temp%\_MEI{random numbers}\win32file.pyd
• %User Temp%\_MEI{random numbers}\win32pipe.pyd
• %User Temp%\_MEI{random numbers}\win32trace.pyd
• %User Temp%\_MEI{random numbers}\win32ui.pyd
• %User Temp%\_MEI{random numbers}\win32wnet.pyd
• %User Temp%\_MEI{random numbers}\eggs\pyperclip-1.5.4-py2.7.egg
• %User Temp%\_MEI{random numbers}\include\pyconfig.h
• %User Temp%\{random char}\gen_py\__init__.py
• %User Temp%\{random char}\gen_py\dicts.dat

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %System Root%\MSDcache
• %System Root%\MSDcache\system
• %User Temp%\_MEI{random numbers}
• %User Temp%\_MEI{random numbers}\eggs
• %User Temp%\_MEI{random numbers}\include
• %User Temp%\{random char}
• %User Temp%\{random char}\gen_py

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKCU\Software\Microsoft\
Windows\CurrentVersion\Run
Liberty(Malware Version).exe = %System Root%\MSDcache\Liberty(Malware Version).exe

Propagation

This worm creates the following folder in all physical and removable drives:

• {drive}:\MSDcache

It drops the following copy of itself in all physical and removable drives:

• {drive}:\MSDcache\Liberty{Malware Version}.exe
• {drive}:\MSDcache\Liberty1.0.bat - batch file that executes the malware
• {drive}:\MSDcache\Liberty1.0.bat.lnk - shortcut for the batch file

Download Routine

This worm downloads an updated copy of itself from the following website(s):

• http://{BLOCKED}ickupdate.ddns.net
• http://{BLOCKED}pdate.{BLOCKED}s.net
• http://{BLOCKED}pdate.{BLOCKED}s.net

It saves the files it downloads using the following names:

• %System Root%\MSDCache\Liberty{Malware Version}.exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Information Theft

This worm gathers the following data:

• Mouse click coordinates
• Keyboard key press
• Last window name clicked

NOTES:

Should the log file %System Root%/MSDcache/system/system.dll reaches over 50,000 bytes in size, it compresses the log file into:

• %System Root%/MSDcache/{Hash of the Current Time and Date}.zip - deleted after encryption

An example of the log system.dll that this malware creates viewed on a text editor is below:

It encrypts the created archive into:

• %System Root%/MSDcache/{Hash of Current Time and Date}.zip.enc

The encrypted archive is sent to following URLs:

• http://{BLOCKED}ickupload.ddns.net
• http://{BLOCKED}pload.ddns.net
• http://{BLOCKED}pload.ddns.net

The log file is deleted and replaced by a new one to begin the capture of mouse clicks and keyboard key presses.