Analysis by: Rhena Inocencio
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Tamaño del archivo 114,688 bytes
Tipo de archivo EXE
Fecha de recepción de las muestras iniciales 12 Apr 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

  • %Program Files%\archivos.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SpyEx = "{malware path and filename}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SpyEx = "%Program Files%\archivos.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus\Registered
startup = "1"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus\Registered
started = "True"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus\Registered