Follow:

You have been re-routed to the Trojan:Win32/Urelas.C write up because Trojan%3aWin32%2fUrelas.C has been renamed to Trojan:Win32/Urelas.C
 

Trojan:Win32/Urelas.C


Trojan:Win32/Urelas.C is a trojan that monitors certain card game applications and sends screenshots and information about your computer to a remote server. It also drops Trojan:Win32/Urelas.A which performs the same payload.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Urelas.C is a trojan that monitors certain card game applications and sends screenshots and information about your computer to a remote server. It also drops Trojan:Win32/Urelas.A which performs the same payload.

You may inadvertently download the trojan, thinking it is a program related to a card game.

Installation

In the wild, we have observed Trojan:Win32/Urelas.C downloaded with the following file names:

  • MkUpdate.exe
  • setup.exe

When run, the trojan drops the following files in the <system folder>:

  • golfinfo.ini - this file may be used to store information captured by the trojan
  • gbp.ini - this file contains the remote server's address that the trojan connects to
  • <random>.exe, for example "lyycofez.exe" - also detected as Trojan:Win32/Urelas.C
  • <random>.dll, for example "lymucexuc.dll" - detected as Trojan:Win32/Urelas.A

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

It also drops the file  "_uninsep.bat" to the %TEMP% folder, which is a malware batch file that removes the original trojan's executable (EXE) file.

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Trojan:Win32/Urelas.C modifies the following registry entries to ensure that it runs at each Windows start:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<malware service name>\Parameters, for example "HKLM\SYSTEM\CurrentControlSet\Services\Jiuswan\Parameters
Sets Value: "ServiceDll"
With data:  "<system folder>\<random>.dll", for example "C:\Windows\System32\lymucexuc.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "<random name>", for example "Hiceegdiyfp"
With data: "<malware service name>", for example "Jiuswan"

Payload

Gathers and uploads information to a remote server

Trojan:Win32/Urelas.C  monitors the following processes that belong to certain card games:

  • baduki.exe
  • DuelPoker.exe
  • FNF.exe
  • highlow2.exe
  • HOOLA3.EXE
  • LASPOKER.exe
  • poker7.exe

The trojan gathers the following information if any of the above processes are found:

  • Screenshots of the gaming window
  • Your computer's name

 Trojan:Win32/Urelas.C sends this information to a remote server. We have observed it attempting to contact the following servers:

  • 113.30. <removed>.<removed>
  • 27.125 .<removed>.36
Related encyclopedia entries

Trojan:Win32/Urelas.A

Analysis by Marianne Mallen


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
     
    <system folder>\gbp.ini
    <system folder>\golfinfo.ini
    <system folder>\MkUpdate.exe
    <system folder>\setup.exe
    %TEMP%\_uninsep.bat

       
  • The presence of the following registry modifications:
      
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<malware service name>\Parameters, for example "HKLM\SYSTEM\CurrentControlSet\Services\Jiuswan\Parameters
    Sets Value: "ServiceDll"
    With data:  "<system folder>\<random>.dll", for example "C:\Windows\System32\lymucexuc.dll"
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    Sets value: "<random name>", for example "Hiceegdiyfp"
    With data: "<malware service name>", for example "Jiuswan"
     

Prevention


Alert level: Severe
First detected by definition: 1.125.1373.0
Latest detected by definition: 1.183.1275.0 and higher
First detected on: May 08, 2012
This entry was first published on: May 08, 2012
This entry was updated on: Dec 13, 2012

This threat is also detected as:
  • Win32/Urelas.F (ESET)
  • PAK_Packman (Trend Micro)
  • TR/Gupboot.987721 (Avira)
  • Trojan.AVKill.24205 (Dr.Web)
  • Trojan.Gupboot!4A23 (Rising AV)
  • Trojan.Malcol (Symantec)
  • Trojan.Win32.Urelas (Ikarus)
  • Trojan/Win32.PbBot (AhnLab)