TSPY_EUPUDS.A

This malware uses an AutoIT packer, a scripting language leveraged by cybercriminals. When executed, it steals system-related information and gathers stored user names and passwords from certain browsers.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware may be downloaded by other malware/grayware from remote sites.

It retrieves specific information from the affected system.

Arrival Details

This spyware may be downloaded by the following malware/grayware from remote sites:

• TROJ_BANLOAD.LNA

It may be downloaded from the following remote sites:

• http://www.{BLOCKED}d.com/download/p6SLJ1nC/id3.zip

Installation

This spyware drops the following files:

• %Application Data%\25f5093e
• %Application Data%\7c71538a

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Application Data%\{random folder}\{random filename}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

• %Application Data%\{random folder}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• DynGateInstanceMutexS

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = "%Application Data%\{random folder}\{random filename}.exe"

Download Routine

This spyware connects to the following URL(s) to download its configuration file:

• {BLOCKED}.{BLOCKED}.25.190/mfb.php - inaccessible

Information Theft

This spyware retrieves the following information from the affected system:

• UserID
• Browser & Version
• OS Type and Version
• Malware Version

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• iexplore.exe
• chrome.exe
• firefox.exe

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• {BLOCKED}.102.{BLOCKED}.190/index.php

NOTES:

It injects its code to a running process except the following:

• Services.exe
• Explorer.exe
• Userinit.exe
• Iexplore.exe
• Firefox.exe
• Chrome.exe
• Crsss.exe
• Svchost.exe
• Winlogon.exe
• Lsass.exe

It hooks ExitProcess API with an infinite sleep command to avoid unloading of memory of process to dump.

It sleeps for 21,000 seconds when there's a running AvastSvc.exe application.

It needs another plugin/component gforce_dll for its URL spoofing for the following websites:

• hotmail.com
• facebook.com
• live.com