TEQUILA


 ALIASES:

Zopharp, BamCompiled

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


TEQUILA is bot malware which made headlines after targeting Mexico's financial institutions in 2010. The botnet particularly targeted the country's local Paypal site and the country's largest bank, Bancomer.

This malware connects to a C&C server in order to receive commands that can control the affected system. These commands may include downloading configuration files, deleting files, sending messages via MSN messenger, and downloading and executing other files.

It may steal information such as the IP address, IP location, country, and the computer name of the affected system.

This malware can download other malware like ZBOT and FAKEAV variants, making the affected system more vulnerable to other threats.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Steals information, Downloads files

Installation

This spyware drops the following files:

  • %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\register.bat
  • %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\register.vbs
  • %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\svxhost.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It creates the following folders:

  • %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svxhost = "%Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\svxhost.exe"

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\WinRAR SFX
%Windows%WinSxS%x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53% = "%Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53"

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\WinRAR SFX

Other Details

This spyware connects to the following possibly malicious URL:

  • http://www.{BLOCKED}ess.com/
  • http://{BLOCKED}o.{BLOCKED}php.com/
  • http://{BLOCKED}i.{BLOCKED}php.com/
  • http://{BLOCKED}o.{BLOCKED}php.com/