TSPY_SHYLOCK.B

This spyware attempts to replace the contact numbers of certain banks with rogue numbers that are controlled by the attackers. This may lead infected users to divulge their banking and personal information to the attackers.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

As of this writing, the said sites are inaccessible.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• %Application Data%\{randomly selected folder}\{random path}\{random file name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {GUID}

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{randomly selected folder}\{random path}\{random file name}.exe"

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Download Routine

This spyware connects to the following URL(s) to download its configuration file:

• {BLOCKED}stem.cc
• {BLOCKED}otec.at
• {BLOCKED}atistics.net

As of this writing, the said sites are inaccessible.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

NOTES:

The created mutex {GUID} is a value that is computed by the malware based from the computer name SID.

{randomly selected folder} can be any folder under %Application Data%.{random path} is a random subfolder under {randomly selected folder}. {random file name} is a file name of any executable file in the Windows system folder.