Trojan:Win32/Wisp.B is a trojan that drops a malicious DLL on the affected system, detected as Trojan:Win32/Wisp.A
. Trojan:Win32/Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain access to the system in order to perform additional malicious actions.
When executed, Trojan:Win32/Wisp.B copies itself to the following file locations on the affected computer:
It then sets the following registry entry so that "note.exe" is executed at each Windows start:
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "note"
With data: "%Temp%\note.exe -installkys"
Installs additional malware
The trojan then drops the following DLL onto the system and sets its creation date and time to that of the system file, svchost.exe:
The trojan checks if the following processes are running, and injects this DLL into the memory space of one of them:
Trojan:Win32/Wisp.B initially checks if its executable is launched with the -removekys argument, and if so, it terminates the "clipsvc.exe" process and removes the registry entry:
Analysis by Amir Fouda