Analysis by: Michael Cabel
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This spyware is capable of collecting information from the infected system and checking if the currently logged user has administrator rights.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware may be unknowingly downloaded by a user while visiting malicious websites. It may be hosted on a website and run when a user accesses the said website.

It executes then deletes itself afterward.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size: 302,446 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 18 Apr 2011
Payload: Modifies HOSTS file

Arrival Details

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

It may be hosted on a website and run when a user accesses the said website.

Installation

This spyware drops the following component file(s):

  • %System%\{random file name}.exe - also detected as TSPY_PIRMINAY.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It executes then deletes itself afterward.

It injects threads into the following normal process(es):

  • explorer.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random registry name} = "%System%\{random file name}.exe"

Other System Modifications

This spyware adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\GHUZPSK

HOSTS File Modification

This spyware modifies the affected system's HOSTS files to prevent a user from accessing the following websites:

  • 127.0.0.1 thepiratebay.org
  • 127.0.0.1 www.thepiratebay.org
  • 127.0.0.1 mininova.org
  • 127.0.0.1 www.mininova.org
  • 127.0.0.1 forum.mininova.org
  • 127.0.0.1 blog.mininova.org
  • 127.0.0.1 suprbay.org
  • 127.0.0.1 www.suprbay.org

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}c.net/html/license_43EC922A3D0E1F403834ED406BA80E5A686E606DF596C71B1F47B22D93555C332C0C0719D7D5C142B8C2C3E65DCC50966E34BA8C4D56463B02F3FED9544A9D2924CF3F64589D6F196EEE2287F825C718F1A7C664F6BC84AA1B5B4824A007F3A8850F6DDE35DADFD83C52EF01BB4FC54BF9660FE35E9F31AACF0A43B4FD6DA84758F7297FE94658707F6B41C1B8BAE47C551AC5DF83492A302E0101F9F813B0E1F6703F239B3C703F88FD49756B894957BFC2CDB48C5F1393784FD1809DA0141526DE8BC5C11EADF840E5C519DD4D80B2E1E0718A3B52BD4E49A76B7F0674A1451795428E9FBE22DC66B925CD5F30C4B248BE1B643D3D8AE0028BA2F9EB850A912A4CED4F6079C4E1CFE849D6F39A0ACA20E7F3E3A964DAF4AE39C95CCCFC2AEE9EC900C5C2E7133AB6C7FD266AB7E897A90890BC08.html

Other Details

However, as of this writing, the said sites are inaccessible.

NOTES:

This spyware can collect the following system information:

  • Registry information, such as:
    • Number of typed URLs
    • Number of visited URLs
    • Number of uninstall entries
    • Number of HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys
  • System information, such as:
    • Display resolution
    • Number of drivers found in the system32/drivers folder
It also checks if the currently logged user has administrator rights.

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 8.112.04
FIRST VSAPI PATTERN DATE: 22 Apr 2011
VSAPI OPR PATTERN File: 8.113.00
VSAPI OPR PATTERN Date: 22 Apr 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Terminate a process file/s detected as TSPY_PIRMINAY.A

[ Learn More ]

*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • {random registry name} = "%System%\{random file name}.exe"

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • GHUZPSK

Step 5

Remove these strings added by the malware/grayware/spyware in the HOSTS file

[ Learn More ]
    • 127.0.0.1 thepiratebay.org
    • 127.0.0.1 www.thepiratebay.org
    • 127.0.0.1 mininova.org
    • 127.0.0.1 www.mininova.org
    • 127.0.0.1 forum.mininova.org
    • 127.0.0.1 blog.mininova.org
    • 127.0.0.1 suprbay.org
    • 127.0.0.1 www.suprbay.org
"

Step 6

Scan your computer with your Trend Micro product to delete files detected as TSPY_PIRMINAY.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.