Installation
The malware checks if its file name contains the string "rundll32", if not it drops a copy of itself as rundll32.exe in the following location with "hidden" and "system" attributes:
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows"
With data: "%APPDATA%\microsoft\office\rundll32.exe"
The threat then runs this file.
As part of its installation routine, the malware writes a file to the following registry, to keep track of what version of itself is running on your PC:
-
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Msversion
Spreads by way of:
Removable drives
The malware checks for a notification when you insert a removable device into your PC.
If you insert a removable device, the threat checks for a newly-added removable drive against a previously saved list of drives. If the drive is new, it makes a copy of itself using the file and directory names of existing entries on the drive as <name>.exe and sets "hidden" and "system" attributes for existing files and directories on the drive.
Payload
Downloads and runs arbitrary files
The malware connects to a remote host using FTP (file transfer protocol) and downloads and runs a particular file. In the wild, we have observed this downloaded file as ums.exe. Note that there could be an updated version of the malware.
Steals sensitive information
The malware logs keystrokes and stores them to a log file, for example:
After a period of time, or if the log file grows to exceed a particular size, it is uploaded via FTP to a remote host.
Modifies the settings of your PC
The threat stops the display of files that have "system" and "hidden" attributes by making the following registry modification:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
Analysis by Ray Roberts