TSPY_DERUSBI
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This description is based is a compiled analysis of several variants of TSPY_DERUSBI. Note that specific data such as file names and registry values may vary for each variant.
This spyware may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It requires its main component to successfully perform its intended routine.
TECHNICAL DETAILS
Arrival Details
This spyware may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This spyware drops the following files:
- %System%\msusb{random 3 characters}.dat
- %System%\{random}.dat
- %System%\msusbznx.dat
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This spyware modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Parameters
ServiceDll = "%Systemroot%\System32\msusb{random 3 characters}.dat"
(Note: The default value data of the said registry entry is %System%\wuauserv.dll.)
Other System Modifications
This spyware adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\PnP
Security = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Parameters
Security = "{random values}"
Dropping Routine
This spyware drops the following file(s), which it uses for its keylogging routine:
- %System%\drivers\{bc87739c-6024-412c-b489-b951c2f17000}.sys - detected by Trend Micro as TSPY_DERUSBI.E
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Stolen Information
This spyware saves the stolen information in the following file:
- %Windows%\Temp\ziptmp$1.tmp21
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Other Details
This spyware connects to the following possibly malicious URL:
- {BLOCKED}i.{BLOCKED}1.com
- {BLOCKED}ree.{BLOCKED}1223.com
- {BLOCKED}4.{BLOCKED}.111.30
It requires its main component to successfully perform its intended routine.
NOTES:
It steals the following information:
- Email user names and passwords, etc.
- Installed security products
- Internet Explorer Autocomplete accounts
- Internet Explorer version
- IP address
- Logged keystrokes
- Operating System Version
- Proxy server settings
This malware has keylogging capabilities.
This description is based is a compiled analysis of several variants of TSPY_DERUSBI. Note that specific data such as file names and registry values may vary for each variant.
SOLUTION
Trend customers:
Keep your pattern and scan engine files updated. Trend Micro antivirus software can clean or remove most types of computer threats. Malware, though, such as Trojans, scripts, overwriting viruses and joke programs which are identified as uncleanable, should simply be deleted.
All Internet users:
- Use HouseCall - the Trend Micro online threat scanner to check for malware that may already be on your PC.
- Catch malware/grayware before they affect your PC or network. Secure your Web world with Trend Micro products that offer the best anti-threat and content security solutions for home users, corporate users, and ISPs. Go here for more information on Trend Micro products that fit your needs.
Did this description help? Tell us how we did.