SHA1: 1d5897759ee66047e1d4c6378a52079fac2303f5
A spyware Trojan that sends texts entered into the windows of various programs including accounting ones. It is distributed by Trojan.MulDrop6.44482 and launched directly in the computer’s memory without saving it on the disk in decrypted form. At that, the disk contains its encrypted copy. The Trojan’s main features:
- Logs key presses
- Sends information about the system to the server
- Downloads and runs MZPE files (with and without saving them on disk)
The Trojan consists of several modules. Every module uses its own ID, NAME, and TITLE parameters and sending data format. All information received from the modules is stored in one data array that begins with the following structure:
struct st_mod
{
_BYTE garbage[20];
_DWORD all_mod_data_size;
_DWORD dword18;
_DWORD index;
_BYTE hash[16];
};
The following fields are appended with values:
- all_mod_data_size—a total size of all the array’s components;
- index—number of all the array’s components;
- hash—MD5 hash of the array data. It is used to control integrity when sending information from the client to the server.
During the array data transferring from the server, the first 20 bytes (the garbage field) are replaced with random values.
The rest of the array’s elements looks as follows:
struct st_mod_data
{
_DWORD element_id;
_DWORD magic;
_DWORD size;
_DWORD size_;
_BYTE data[];
};
The st_mod_data structure is used for all information placed into one common array. At that, the information can also be added in accordance with data format. The element_id element determines data type and its format in this structure:
element_id | Value |
---|---|
10001 | ID of the infected computer |
10002 | Name of the botnet (presumably) |
10003 | Incorporated value 0x1000002 |
10005 | Incorporated value 0x00 |
10007 | Header of the module |
10008 | Unknown parameter. It is not used in this sample. |
10009 | Date of data generation by the module |
10010 | Timestamp that corresponds the moment of data generation by the module |
10011 | Current time in UTC |
10012 | System information represented as the following structure:
|
10013 | Default system language |
10014 | Module’s name |
10016 | List of the computer’s IPv4 addresses |
10017 | List of the computer’s IPv6 addresses |
10018 | Module’s ID |
10019 | Data generated by the module |
Modules create the st_modinfo structure that is then transformed into the structure set named st_mod_data.
struct st_modinfo
{
char *name;
_DWORD ts;
SYSTEMTIME time;
_DWORD title;
_DWORD data;
_DWORD data_size;
_DWORD elem10008;
_DWORD id;
};
The data array is saved to %APPDATA%\Roaming\ntuser.dat in encrypted form (RC4+XOR).
All information sent by Trojan.PWS.Spy.19338 to the server is encrypted first with the RC4 algorithm and then—with XOR.
To log key strokes and contents of the clipboard, the Trojan creates a window class named randomly. The log with received data is saved to "%APPDATA%\Roaming\adobe\system.log”. Besides, the Trojan created a timer in order to send log records to the server every minute. To get data from the clipboard, the spyware uses the WINAPI SetClipboardViewer() function to register its window in clipboard viewer chain. The Trojan manages to intercept key stokes after it registers its own input processor. It checks whether the name of the input window corresponds to the following masks. Otherwise, key strokes are nor logged.
*\\Skype.exe
*\\WINWORD.EXE
*\\1cv8.exe
*\\1cv7s.exe
*\\1cv7.exe
*\\EXCEL.EXE
*\\msimn.exe
*\\thunderbird.exe
*\\sbis.exe
*\\OUTLOOK.EXE
The window’s header and the process’s name are also logged and have the following format:
\r\n[WND: |%s|]\r\n
[PRC: |%s|]\r\n
During logging of the clipboard content, data is placed between the markers:
[clp bgn]\r\n
\r\n[clp end]\r\n
All the logged information is encrypted with XOR.
In addition, every 3 minutes, the Trojan collects information about connected devices for Smart Card use and generates the st_mod_info structure.
A separate module collects information about the system and saves it into the following structure:
struct st_dummy_info
{
_BYTE IsAdmin;
_BYTE MajorVer;
_BYTE MinorVer;
_BYTE ProductType;
};
The Trojan can download and run MZPE files using two methods:
- If the buffer has the 0x5A4D signature at zero offset, the file is saved to %TEMP% and is then executed.
- If the buffer has the 0x444C signature at zero offset, the file is executed without saving it on the disk.