TSPY_AMBLER
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Spammed via email, Dropped by other malware
AMBLER variants were first seen in the wild in 2009. It is a family of Trojans, spyware, and worms that are designed to steal sensitive information from users. Some of the information it steals are the following:
- online banking credentials
- account information
- other personally identifiable information (PII)
The stolen information may be used by the cybercriminals for other malicious activities or sold in the underground cybercrime.
This malware family typically arrives as an attachment to spammed messages. It can be downloaded from compromised and malicious websites. Aside from its information-stealing routines, AMBLER variants have the capability to perform man-in-the-browser attacks such as keylogging, screen capturing, and web injections.
TECHNICAL DETAILS
Yes
Steals information
Installation
This Trojan drops the following files:
- %System%\tftb71.dll
- %System%\vktyfd.dll
- %System%\giw
- %System%\iafzb
- %System%\klgd.bmp
- %System%\bdf.txt
- %System%\ccdf.txt
- %System%\eeef.txt
- %System%\fsc.txt
- %System%\ide.txt
- %System%\lbbf.txt
- %System%\lrg.txt
- %System%\xef.txt
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
- {drive letter}:\RECYCLER\recycld.exe
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
hihg = "rundll32.exe vktyfd.dll,ID"
It adds the following registry keys to install itself as a Browser Helper Object (BHO):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects
{6A79CF97-91F1-40BC-8CAB-44184B496B6D} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects
{94EA03C3-5988-4428-A5BF-5AB34C82C806} =
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}
{default} = "Internet Explorer Plugin"
HKEY_CLASSES_ROOT\CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}
{default} = "Internet Explorer Plugin"
HKEY_CLASSES_ROOT\CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}\
InprocServer32
{default} = "tftb71.dll"
HKEY_CLASSES_ROOT\CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}\
InprocServer32
{default} = "vktyfd.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}
{default} = "Internet Explorer Plugin"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}
{default} = "Internet Explorer Plugin"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}\InprocServer32
{default} = "tftb71.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}\InprocServer32
{default} = "vktyfd.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{E3428D3F-3725-4FE1-986A-57EAE3E08123}
{default} = "IE development helper "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{E3428D3F-3725-4FE1-986A-57EAE3E08123}
StubPath = "rundll32 vktyfd.dll,laspi"
HKEY_LOCAL_MACHINE\SOFTWARE\Rapport
JGG = "{random characters}"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Enable Browser Extensions = "yes"
It adds the following registry keys as part of its installation routine:
HKEY_CLASSES_ROOT\CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}
HKEY_CLASSES_ROOT\CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}
HKEY_LOCAL_MACHINE\SOFTWARE\Rapport
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{E3428D3F-3725-4FE1-986A-57EAE3E08123}