Modified by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

  TECHNICAL DETAILS

Tamaño del archivo 200,192 bytes
Tipo de archivo EXE
Residente en memoria Yes
Fecha de recepción de las muestras iniciales 04 Dec 2011

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

  • %System Root%\config.Bin\{random}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following component file(s):

  • %System Root%\config.Bin\{random}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\config.Bin

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%System Root%\config.Bin\{random}.exe /q"

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

  • http://www.microsoft.com/

Relacionado entradas de blog