Details:
This Trojan installs Browser Helper Object (BHO) to target machines. The said BHO enables this it to log user keystrokes, monitor sites visited by users, as well as get system information.
It then sends gathered information via email to BHO creators in Russia.
BHOs are programs installed unknowingly on affected systems. They are designed to run automatically every system startup to monitor user activity.
Upon execution, it drops the following .DLL files in the Windows systems folder:
- SYSCONNECT.DLL (BHO component)
- WINMGMT.DLL (Keylogger).
(Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
It creates the following registry entries to install itself as a valid Browser Helper Object:
HKEY_CLASSES_ROOT\CLSID\{%generated_ID%}\InProcServer32
Default = "%malware path%\sysconnect.DLL"
HKEY_CLASSES_ROOT\CLSID\{%generated_ID%}\InProcServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Installer
InstallerParameters = "hex: %generated_hex_value%"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad
SysConnect = "{%generated_ID%}"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{%generated_ID%}\InProcServer32
Default = "%malware path%\sysconnect.DLL"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{%generated_ID%}\InProcServer32
ThreadingModel = "Apartment"
It also creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Installer
(Note: %malware path% is a variable directory, where the malware is located.
%generated ID% refers to a variable alphanumeric ID generated by this malware.
%generated_hex_value% is a variable registry entry generated by InstallerParameters entry.)
It arrives UPX-compressed. It has varying file size depending on which component it drops. It has the following file size details:
- 28,672 bytes � SYSCONNECT.DLL
- 8,708 bytes � WINMGMT.DLL
It also drops either the file NATO.DOC, containing an article entitled "NATO, Iraq and the German-American Waltz", or the file #3004-19-07-2004.DOC, which contains the article "The North Atlantic Treaty", in the Windows temporary folder.
Analysis by: Bernard Sapaden