TrojanSpy:Win32/Arpoc.A is a trojan that connects with computers across a local class C network searching for vulnerable target hosts that have not applied Security Bulletin MS08-067
. This trojan exploits this specific vulnerability to install TrojanSpy:Win32/Gimmiv.A
, a data collecting trojan.
Win32/Arpoc.A may be within a cabinet archive file named 'inetproc02x.cab' as the following files:
- basesvc.dll - identified as TrojanSpy:Win32/Arpoc.A.dll
- install.bat - identified as TrojanSpy:BAT/Arpoc.A
- svicon.dll - identified as TrojanSpy:Win32/Arpoc.A.dll
- winbase.dll - identified as TrojanSpy:Win32/Arpoc.A.dll
- winbaseInst.exe - identified as TrojanSpy:Win32/Arpoc.A
Win32/Arpoc.A executable and DLL components are installed to the <system folder>\wbem folder by the batch script 'install.bat'. When run, BAT/Arpoc.A copies files as the following:
- <system folder>\wbem\basesvc.dll
- <system folder>\wbem\syicon.dll
- <system folder>\wbem\winbase.dll
- <system folder>\wbem\winbaseInst.exe
TrojanSpy:Win32/Arpoc.A modifies the registry to run 'winbase.dll' and 'basesvc.dll' at Windows start.
Adds value: "ServiceDll"
With data: "<system folder>\wbem\winbase.dll"
To subkey: HKLM\SYSTEM\ControlSet001\Services\BaseSvc\Parameters
Adds value: "BaseSvc"
With data: "basesvc"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Installs Malware on Other Computers
This trojan attempts to enumerate computers across the local class C network. Once connected, the trojan attempts to exploit target hosts that have not applied Security Bulletin MS08-067
using exploit code
. If the trojan successfully exploits a vulnerable computer, it launches shell code that downloads TrojanSpy:Win32/Gimmiv.A
remotely on the target computer and executes it.
Analysis by Aaron Putnam