PUA.Win32.ActivityMonitor.B

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry entries, causing some applications and programs to not function properly.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following files:

• %Windows%\system\sys\syssettings\config.ini
• %Windows%\system\sys\syscon\Fport.exe
• %Windows%\system\sys\syscon\ipseccmd.exe
• %Windows%\system\sys\syscon\ipsecpol.exe
• %Windows%\system\sys\syscon\text2pol.dll
• %Windows%\system\sys\syscon\ipsecutil.dll
• %User Temp%\Low\sysinfo.bat → execute system info
• %User Temp%\Low\systeminfo.txt → Output of system info
• %User Temp%\DB\soft_run.tbl → software database
• %User Temp%\Low\dev_old.cfg → list of hardware installed
• %User Temp%\Low\dev_new.cfg → list of hardware installed
• %User Temp%\Low\soft_old.cfg → list of software installed
• %User Temp%\Low\soft_new.cfg → list of software installed
• %User Temp%\Low\soft_mini.cfg → list of software installed
• %User Temp%\Low\software.cfg → list of software installed
• %User Temp%\Low\sysinfo.cfg → Output of system info
• %User Temp%\Low\clipboard\{date}.cfg → Logging of clipboard data
• %User Temp%\Low\itech.ini → instant messaging config
• %User Temp%\Low\syslog\{date}.cfg → system event logs
• %User Temp%\Low\config.ini → config file
• %User Temp%\Low\calsum\{date}.ini → File/Data security logs
• %User Temp%\Low\SCREEN\{datetime}.jpg → snapshot
• %User Temp%\Low\alarm\{date}.cfg
• %User Temp%\Low\netstat.bat → execute netstat
• %User Temp%\Low\tasklist.bat → execute tasklist
• %User Temp%\Low\nconnections.bat → execute netstat
• %User Temp%\Low\netshare.bat → execute net share
• %User Temp%\Low\sc.bat → execute sc query
• %User Temp%\Low\syscsv.bat → execute systeminfo
• %User Temp%\Low\diskspace.bat → execute WMIC to gather logical disk information
• %User Temp%\Low\wmicsoftware.bat → execute WMIC to gather all installed application
• %User Temp%\Low\netshare.txt → output of netshare.bat
• %User Temp%\Low\tasklist.txt → output of tasklist.bat
• %User Temp%\Low\diskspace.txt → output of diskspace.bat
• %User Temp%\Low\sc.txt → output of sc.bat
• %User Temp%\Low\netstat.txt → output of netstat.bat
• %User Temp%\Low\nconnections.txt → output of nconnections.bat
• %User Temp%\Low\wmicsoftware.txt → output of wmicsoftware.bat
• %User Temp%\Low\syscsv.txt → output of syscsv.bat
• %User Temp%\Low\{date}traffic.ini → network traffic logs

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd /c %User Temp%\Low\sysinfo.bat
• systeminfo > "%User Temp%\Low\systeminfo.txt"
• mspts.exe
• enumdev.exe
• cmd /c %User Temp%\Low\netstat.bat
• cmd /c %User Temp%\Low\tasklist.bat
• cmd /c %User Temp%\Low\nconnections.bat
• cmd /c %User Temp%\Low\netshare.bat
• cmd /c %User Temp%\Low\sc.bat
• cmd /c %User Temp%\Low\syscsv.bat
• cmd /c %User Temp%\Low\diskspace.bat
• cmd /c %User Temp%\Low\wmicsoftware.bat
• WMIC LOGICALDISK GET DESCRIPTION,DEVICEID,FILESYSTEM,SIZE,FREESPACE > "%User Temp%\Low\diskspace.txt"
• netstat -bt > "%User Temp%\Low\nconnections.txt"
• net share > "%User Temp%\Low\netshare.txt"
• netstat -e > "%User Temp%\Low\netstat.txt"
• sc query > "%User Temp%\Low\sc.txt"
• systeminfo > "%User Temp%\Low\syscsv.txt"
• tasklist > "%User Temp%\Low\tasklist.txt"
• WMIC product get name,version > "%User Temp%\Low\wmicsoftware.txt"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %User Temp%\Low
• %User Temp%\Low\reg_backup
• %User Temp%\Low\smtp_file
• %User Temp%\Low\pop3_file
• %User Temp%\Low\attendance
• %User Temp%\Low\file_transfer_backup
• %User Temp%\Low\outlook
• %User Temp%\Low\agentupgrade
• %User Temp%\Low\SCREEN
• %User Temp%\Low\appfiles
• %User Temp%\Low\alarm
• %User Temp%\Low\calsum
• %User Temp%\Low\clipboard
• %User Temp%\Low\sc
• %User Temp%\Low\SCREEN
• %User Temp%\Low\syslog
• %User Temp%\DB

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• EagleEye 1.5 - EagleEye 2005.11.04

Other System Modifications

This Potentially Unwanted Application deletes the following files:

• %Application Data%\imonitor\ProcGuard.exe
• %Application Data%\imonitor\Client.exe
• %System Root%\Client.exe
• %System Root%\ProcGuard.exe
• %Windows%\system\sys\syscon\Client.exe
• %User Temp%\Low\websitedownload.cfg
• %User Temp%\Low\websitesearch.cfg
• %User Temp%\Low\site.cfg
• %User Temp%\Low\websiteurl.cfg
• %User Temp%\Low\ss_client.log
• %User Temp%\Low\outlook.log
• %User Temp%\Low\eamusb.txt
• %User Temp%\DB\soft_run.tbl
• %User Temp%\Low\run_proc.cfg
• %System Root%\sip.bat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting
lock_flag = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting
device = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting
software = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
usb = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
comm = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
bing = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
cdrom = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice
softdisk = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
autostart_client = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
enable_procrule = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
incoming = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
outgoing = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
LMOUSE = {string}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting
RMOUSE = {string}

It deletes the following registry entries:

SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
ProcGuard =

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\TermSetting

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\LockSeting

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\FileSetting

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\OutDevice

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
THC\Printer

NOTES:

It does the following:

• It executes the following commands from a remote user:
  • Remote access/control
  • Snapshot
  • Remote Camera
  • Manage files (move, copy, delete, send, receive)
  • Power control (shutdown, restart, log off, lock)
  • View current processes
  • Terminate selected process
  • View Services
  • View Autoruns
  • View IP address
  • View netowrk shares
  • Send message
  • Send Command
  • View running application
  • Generate report
    • Work Summary
    • Network Traffic
    • Application
    • Website
    • Keystrokes
    • Clipboard
    • Files
    • USB Device
    • Print Jobs
    • E-mail
    • System Events
    • EAM Alert
    • Keywords
    • Chat History
  • Computer logs
    • System
    • Network Traffic
    • Keystrokes
    • App History
    • System Events
    • Alerts
    • Keyword Log
    • Software
    • Hardware
    • Internet
    • Email
    • Web
    • Chat
    • Online Storage
    • Social Sites
    • File/ Data Security
    • Clipboard
    • Files
    • USB Device
    • File Backup
    • File Transfer
    • Print Jobs
• It requires the following files in order for it to proceed to its intended routine:
  • highgui100.dll
  • cxcore100.dll
  • cvcam100.dll
• It opens the following port(s) where it listens for remote commands
  • 25814