This threat can be installed from a .zip file attached to a spam email or by exploit kits, such as FlashPack. We have also seen it installed by other malware, such as Win32/Zemot.
It installs a copy of itself using a random file and folder name to %APPDATA%, for example %APPDATA%\jhwdwcib\rttavjuv.exe.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<Random value>", for example "Microsoft", or "WinRar"
With data: "%APPDATA%\<random folder name>\<random file name. ", for example %APPDATA%\jhwdwcib\rttavjuv.exe.
This threat checks for an Internet connection by connecting to www.msn.com.
The malware tries to avoid analysis by checking if it is running in a sandbox environment. If it detects that it is running in a sandbox it can hibernate indefinitely. It checks for a sandbox environment by:
- Checking if its file name is “sample.exe”
- Calling GetVolumeInformationA() to check if its running in sandbox environment specific to the following malware analysis systems:
- Checking if the following dynamic-link library files are loaded:
sbiedll – Sandboxie DLL
dbghelp – Windows Debug Help Library
- Reading the following registry to get the serial ID of the hard disk: “
- Checking if your hard disk serial ID contains one of the following strings:
qemu – Qemu emulator
virtual - Virtual Box, Hyper-V
vmware - VMware
xen – Open source hypervisor
Downloads other malware
This threat can download and run other malware onto your PC. We have seen it download malware from the following families:
Contacts a malicious hacker
This threat collects information such as your PC:
It sends this information, including a seller id as part of its URL, to its command and control (C&C) server and tries to hide its server address from analysis. To do this it enumerates the registry entries under the following key:
It then gathers URLs from data within the following registry values:
It sends HTTP POST requests with the stolen information to the URLs that it finds, at the same time as its C&C server. The network communication is usually encrypted with a custom algorithm.
The remote C&C responds with encrypted data that includes commands and other payload binaries or plugins.
We have seen this threat contact the following C&C servers:
The malware can create a mutex using your PC name and volume serial number. This can be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Rex Plantado