Installation
You might receive TrojanSpy:Win32/Shiotob.A as an attachment in a spammed email with the subject "Booking confirmation" and spoofed from an address from "booking.com". The attached file might be a ZIP archive named "From-Booking-Com_Reservation-Details04261270703.zip".
If TrojanSpy:Win32/Shiotob.A is run, it drops a copy of the trojan as a randomly named file into the Windows system folder, as in the following examples:
-
%windir%\System32\B48A1CB38B4C5E5D18A.exe
-
%windir%\System32\defp.exe
It changes the registry so that its copy runs every time the Windows system file "userinit.exe" runs, which happens when Windows starts:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
Sets value: "Debugger"
With data: "<malware file name>" (e.g. "B48A1CB38B4C5E5D18A.exe")
To hide itself in your computer, this threat runs its payload in the context of the system process "csrss.exe". It also creates a random registry subkey with binary data, as in the following example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\<version>\1D01061D\
Sets value: "(default)"
With data: ".0z._b¨ýnñãåíýdé¥..xgcèo)sìt.r!.þ.~¤.ïð«1...ó.86.!9qx5°.qò.ýûé\´½ï{î....$/çznr.eµ.&ç.±.û<.óð%äc.âvfc./ð.qi×.|ó.¬¸äuòàø..).êm..|q.^n¬õ«xæ.é¡ï#...ålfw.s8.y*ê.e..üíç&õí...q.·.[%å^õ#.¹äú.æ·-ñwz.¬¥íonz"
Payload
Changes Internet settings
TrojanSpy:Win32/Shiotob.A disables the use of an Internet proxy by changing registry data:
In subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"
Disables programs
TrojanSpy:Win32/Shiotob.A disables the use of the following web browsers and runs Internet Explorer instead:
-
Google Chrome
-
Netscape Navigator
-
Opera
-
Safari
Monitors and steals user credentials
The trojan injects code into the following processes for the purpose of stealing user credentials:
-
thebat.exe
-
msimn.exe
-
iexplore.exe
-
explorer.exe
-
myie.exe
-
firefox.exe
-
mozilla.exe
-
avant.exe
-
maxthon.exe
-
OUTLOOK.EXE
-
ftpte.exe
-
coreftp.exe
-
filezilla.exe
-
TOTALCMD.EXE
-
cftp.exe
-
FTPVoyager.exe
-
SmartFTP.exe
-
WinSCP.exe
Communicates with a remote server
This trojan gathers information about your computer, including:
- Operating system version
- Network configuration
-
Windows Address Book
- Captured user credentials
It then connects to one of the following remote servers to send the collected information and receive further instructions from an attacker:
-
safeoil.net
-
armyclub.netquickring.net
-
quickring.net
-
genubajom.servegame.com
-
tekiharob.sytes.net
-
rivadolti.sendsmtp.com
Analysis by Horea Coroiu