TSPY_URSNIF.YYSXG

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops and executes the following files:

• %User Temp%\{random folder name}\{random filename}.bat ← used to execute copy and delete itself

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe
  where:
  {string1} = first four letters of a dll file under %System% directory
  {string2} = last four letters of a dll file under %System% directory

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

• %Application Data%\Microsoft\{string1}{string2}\
  where:
  {string1} = first four letters of a dll file under %System% directory
  {string2} = last four letters of a dll file under %System% directory

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{string1}{string2} = "%Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe"

Other System Modifications

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Run

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Vars

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Files

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Config

It adds the following registry entries:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{Value Name} = "{hex value}"
where {Value Name} may be any of the following:

• Main
• Block
• Temp
• Client
• Ini
• Keys
• Scr
• Install
• LastTask
• LastConfig
• CrHook
• OpHook
• Exec
• NetCfg
• LastIni

Dropping Routine

This Trojan Spy drops the following files:

• %User Temp%\{random filename}.bin - zip file containing stolen information.
• %User Temp%\{random filename}.bi1 - contains the users IP Address

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Trojan Spy connects to the following URL(s) to get the affected system's IP address:

• resolver1.opendns.com

It connects to the following possibly malicious URL:

• http://{BLOCKED}nyysoftwareforsoft.ru/images/{random path}.{bmp/gif/jpeg}
• http://{BLOCKED}dandsoftwaret.ru/images/{random path}.{bmp/gif/jpeg}
• http://{BLOCKED}spectheywww.ru/images/{random path}.{bmp/gif/jpeg}
• http://{BLOCKED}gresuchcons.ru/images/{random path}.{bmp/gif/jpeg}
• http://{BLOCKED}ecnotwhenforexcfr.ru/images/{random path}.{bmp/gif/jpeg}
• http://{BLOCKED}withsoldsuequiv.ru/key/x32.bin

It deletes the initially executed copy of itself