Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.PWS.Spy.19338

Added to the Dr.Web virus database: 2015-05-07

Virus description added:

SHA1: 1d5897759ee66047e1d4c6378a52079fac2303f5

A spyware Trojan that sends texts entered into the windows of various programs including accounting ones. It is distributed by Trojan.MulDrop6.44482 and launched directly in the computer’s memory without saving it on the disk in decrypted form. At that, the disk contains its encrypted copy. The Trojan’s main features:

  • Logs key presses
  • Sends information about the system to the server
  • Downloads and runs MZPE files (with and without saving them on disk)

The Trojan consists of several modules. Every module uses its own ID, NAME, and TITLE parameters and sending data format. All information received from the modules is stored in one data array that begins with the following structure:

struct st_mod
{
  _BYTE garbage[20];
  _DWORD all_mod_data_size;
  _DWORD dword18;
  _DWORD index;
  _BYTE hash[16];
};

The following fields are appended with values:

  • all_mod_data_size—a total size of all the array’s components;
  • index—number of all the array’s components;
  • hash—MD5 hash of the array data. It is used to control integrity when sending information from the client to the server.

During the array data transferring from the server, the first 20 bytes (the garbage field) are replaced with random values.

The rest of the array’s elements looks as follows:

struct st_mod_data
{
  _DWORD element_id;
  _DWORD magic;  
  _DWORD size;
  _DWORD size_;
  _BYTE data[];
};

The st_mod_data structure is used for all information placed into one common array. At that, the information can also be added in accordance with data format. The element_id element determines data type and its format in this structure:

element_idValue
10001ID of the infected computer
10002Name of the botnet (presumably)
10003Incorporated value 0x1000002
10005Incorporated value 0x00
10007Header of the module
10008Unknown parameter. It is not used in this sample.
10009Date of data generation by the module
10010Timestamp that corresponds the moment of data generation by the module
10011Current time in UTC
10012System information represented as the following structure:
struct st_osinfo
{
  _BYTE OsVersion;
  _BYTE ServicePackMajor;
  _WORD BuildNumber;
  _WORD ProcArch;
};
10013Default system language
10014Module’s name
10016List of the computer’s IPv4 addresses
10017List of the computer’s IPv6 addresses
10018Module’s ID
10019Data generated by the module

Modules create the st_modinfo structure that is then transformed into the structure set named st_mod_data.

struct st_modinfo
{
  char *name;
  _DWORD ts;
  SYSTEMTIME time;
  _DWORD title;
  _DWORD data;
  _DWORD data_size;
  _DWORD elem10008;
  _DWORD id;
};

The data array is saved to %APPDATA%\Roaming\ntuser.dat in encrypted form (RC4+XOR).

All information sent by Trojan.PWS.Spy.19338 to the server is encrypted first with the RC4 algorithm and then—with XOR.

To log key strokes and contents of the clipboard, the Trojan creates a window class named randomly. The log with received data is saved to "%APPDATA%\Roaming\adobe\system.log”. Besides, the Trojan created a timer in order to send log records to the server every minute. To get data from the clipboard, the spyware uses the WINAPI SetClipboardViewer() function to register its window in clipboard viewer chain. The Trojan manages to intercept key stokes after it registers its own input processor. It checks whether the name of the input window corresponds to the following masks. Otherwise, key strokes are nor logged.

*\\Skype.exe
*\\WINWORD.EXE
*\\1cv8.exe
*\\1cv7s.exe
*\\1cv7.exe
*\\EXCEL.EXE
*\\msimn.exe
*\\thunderbird.exe
*\\sbis.exe
*\\OUTLOOK.EXE

The window’s header and the process’s name are also logged and have the following format:

\r\n[WND: |%s|]\r\n
[PRC: |%s|]\r\n

During logging of the clipboard content, data is placed between the markers:

[clp bgn]\r\n
\r\n[clp end]\r\n

All the logged information is encrypted with XOR.

In addition, every 3 minutes, the Trojan collects information about connected devices for Smart Card use and generates the st_mod_info structure.

A separate module collects information about the system and saves it into the following structure:

struct st_dummy_info
{
  _BYTE IsAdmin;
  _BYTE MajorVer;
  _BYTE MinorVer;
  _BYTE ProductType;
};

The Trojan can download and run MZPE files using two methods:

  • If the buffer has the 0x5A4D signature at zero offset, the file is saved to %TEMP% and is then executed.
  • If the buffer has the 0x444C signature at zero offset, the file is executed without saving it on the disk.

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android