Analysis by: Karl Dominguez
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This malware is dropped by TROJ_SMALL.WZ on specific folders.

The malware performs the following specific routines if it detects that it is loaded by sysprep.EXE:

The malware sends DNS TXT queries to specific URLs to receive additional URL where it will connect to download additional files. The reply from the servers are RC4 encrypted messages.

As of this writing, the malware connects to specific Google sites to download additional component files. The said files are also encrypted with RC4 algorithm.

It decrypts and loads the downloaded files in memory.

  TECHNICAL DETAILS

File Size: 8,704 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 08 Feb 2011

Installation

This Trojan adds the following mutexes to ensure that only one of its copies runs at any one time:

  • Global\sp_runned

NOTES:

This malware is dropped by TROJ_SMALL.WZ as ms{6 random characters}.DLL in %System%, %User Profile%\Application Data, %User Profile%\Appdata\Roaming\ms{random characters}.DLL depending on the operating system version and user priviledges. It is also dropped as %System%\sysprep\cryptbase.DLL in Vista, 2008, and in Windows 7.

The malware performs the following if it detects that it is loaded by sysprep.EXE:

  • Copy itself to %System% as ms{random characters}.DLL
  • It modifies the following registry entry to enable itself to execute every system startup:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
    SecurityProviders = {default values} {file name of the dropped DLL}
    SecurityProviders = {default values}
  • It also creates Firewall rules to add rundll32.EXE as an authorized application. The rule created is named "Security Update".
  • This malware then proceeds to execute itself using rundll32.EXE

The malware sends DNS TXT queries to the following URLs to receive additional URL where it will connect to download additional files. The reply from the servers are RC4 encrypted messages.

  • {BLOCKED}t.domaincheker.name
  • {BLOCKED}t-1.domaincheker.biz
  • {BLOCKED}t-1-p.domaincheker.biz
  • {BLOCKED}t-2.domaincheker.biz
  • {BLOCKED}t-2-p.domaincheker.biz
  • {BLOCKED}t-3.domaincheker.biz
  • {BLOCKED}t-3-p.domaincheker.biz

As of this writing, the malware connects to the following Google sites to download additional component files. The said files are also encrypted with RC4 algorithm.

  • sites.google.com/site/{BLOCKED}a88888/Home/d77.ttf?attredirects=0&d=1
  • sites.google.com/site/{BLOCKED}a88888/Home/qwe.ttf?attredirects=0&d=1

It saves the encrypted files it downloads as the following.

  • %User Temp%\0-6.tmp
  • %User Temp%\2-6.tmp

It decrypts and loads the downloaded files in memory.

Investigation of the files reveal that these are components used as proxy servers and to gather system information. This malware can also be instructed by to download and install other malicious files.

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 7.822.08
FIRST VSAPI PATTERN DATE: 08 Feb 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove the malware/grayware file that dropped/downloaded TROJ_SMALL.WIE

     TROJ_SMALL.WZ

Step 3

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
    • From: SecurityProviders = {default values} {file name of the dropped DLL}
      To: SecurityProviders = {default values}

Step 4

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_SMALL.WIE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Solution notes:

To delete the added Firewall Rules for OS Version 6 (Vista, 2008, 7):

  1. Open Windows Firewall. Click Start, type Windows Firewall with Advanced Security in the Search input field, and press Enter.
  2. In the left panel select Inbound Rules.
  3. Select the rule(s) named "System Update" in the Inbound Rules list then press Delete.
  4. Click yes on the confirmation box that appears.
  5. Close Windows Firewall with Advanced Security.


Did this description help? Tell us how we did.