TROJ_BURNIX.SMEP

This Trojan attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

Arrival Details

This Trojan may be downloaded from the following remote sites:

• http://hp3qvb.in/php/001.exe

Installation

This Trojan adds the following folders:

• %Application Data%\{random1}
• %Application Data%\{random2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It injects itself into the following processes running in the affected system's memory:

• explorer.exe
• taskhost.exe
• taskeng.exe
• Dwm.exe
• wscntfy.exe
• ctfmon.exe
• rdpclip.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID of mount point of %Windows%} = %Application Data%\{random1}\{random}.exe

It drops the following files:

• %Application Data%\{random1}\{random}.exe - copy of itself
• %Application Data%\{random2}\{random} - contains encrypted stolen data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft
{random} =

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\\EXPLORER.EXE = %WINDOWS%\EXPLORER.EXE:*:Enabled:Windows Explorer

Information Theft

This Trojan monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• */atl.osmp.ru/*
• */login.osmp.ru/*
• *cedacri.it*
• *isideonline.it*
• http*://*credem.it/OneToOne/ebank/functions*
• https://*sanpaoloimi.com/*
• https://bancopostaimpresaonline.poste.it/bpiol/
• https://bancopostaonline.poste.it/BPOL/bancoposta/*
• https://hb.quiubi.it/newSSO/x11logon.htm
• https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
• https://scrigno.popso.it*
• https://www.csebanking.it*
• https://www.gruposantander.es/*
• https://www.gruppocarige.it/grps/vbank/jsp/login.jsp
• https://www.iwbank.it/private/index_pub.jhtml*
• https://www.poste.it/online/personale/loginPrivati.fcc

It accesses the following site to download its configuration file:

• http://hp3qvb.in/php/cfg001.bin

It attempts to steal information from the following banks and/or other financial institutions:

• Banca Intesa
• Gruppo Carige
• IW Bank
• Iside
• OSPM
• PosteItaliane
• Qui UBI
• SEB
• Santander
• Scrigno

Drop Points

Stolen information is uploaded to the following websites:

• http://hp3qvb.in/php/IXsNjAfsRc1D.php

Other Details

This Trojan does the following:

• Adds the following registry entries to disable IE PhishingFilter:
  HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter Enabled =0
  HKEY_CURRENT_USER\\Software\\Microsoft\\InternetExplorer\\PhishingFilter EnabledV8 =0
• Steals the following information:
  • Personal Certificates (MY)
  • FTP credentials for the following FTP applications:
  • flashxp
  • ghisler
  • ipswitch
  • filezilla
  • ftpfar
  • winscp
  • ftpcommander
  • coreftp
  • smartftp
  • Flashplayer data
  • Internet session cookies

Variant Information

This Trojan has the following MD5 hashes:

• 7d16f34827db7888ed9157f3f734d5f1

It has the following SHA1 hashes:

• 70b1621194d56bf930a04e059b960ecfa48d7a91