Trojan:JS/Chafpin.gen!A is a detection forĀ JavaScript-enabled images that, when run, send a modified copy of itself to the 4Chan bulletin board.
Installation
Trojan:JS/Chafpin.gen!A creates the following filesĀ in the %TEMP% directory of anĀ infected computer:
Ā
- winconfig.js - copy of itself
- winconfig.exe - creates the image file to be posted (see Payload section below)
- winconfig.dat - contains data for the next version of this malware
- sys32.exe - clean file
- db.lst - contains list of bulletin boards available on the 4Chan website (see Payload section below)
- <random file name>.png
Ā
Trojan:JS/Chafpin.gen!A makes the following changes to the registry:
Ā
Adds value: "winconfig"
With data: "wscript <path of winconfig.js>ā
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Payload
Steals information
Trojan:JS/Chafpin.gen!A reads the content of files from the following locations:
Ā
Desktop
My Pictures folder
My Documents folder
Ā
For each file that it reads, the JavascriptĀ checks that it is not a folder, not a link and is greater than 0x300000 bytes.
Ā
The content of the read file is then packaged into a new .PNG file using the dropped file "winconfig.exe". The file that this trojan packages may contain sensitive information along with the trojan copy, which is then posted to the 4Chan website.
Ā
Posts a copy of itself to a public website
Trojan:JS/Chafpin.gen!A relies on social engineeringĀ to convinceĀ users to download and run its copy, which it posts on a public website. Once the malware is installed on a user's computer, it runs at each Windows start.
Ā
The userĀ receives a .PNG file that looks similar to the following images:
Ā
Ā
Ā
The .PNG file stores data in a compressed format. The compressed data cannot be rendered and appears as the fuzz at the bottom of the images. The image displays instructions for the user to save the images as a bitmap with an .HTA file extension.
Ā
If the user follows the instructions displayed in the image and the .PNG is saved as a bitmap (.BMP) with the .HTA extension, the file is decompressed and the embedded data is revealed. The embedded data contains information on the new format, an image, a JavaScript, and one or more executable files are revealed. When run, with the new .HTA extension, the bitmap information is bypassed and the embedded JavaScript runs.
Ā
The JavaScript accessesĀ the 4Chan website in order to post a modified version of itself on one of the 4Chan bulletin boards. The malware randomly changes its own appearance, including the color schema, font size and type, syntax and spelling based on a predetermined list of options.
Ā
In the wild we have observed Trojan:JS/Chafpin.gen!A generatingĀ distributing imagesĀ with spelling mistakes, presumably to avoid detection by web tools designed to detect it.
Additional information
To post on the 4Chan bulletin board, Trojan:JS/Chafpin.gen!A bypasses the 4Chan CAPTCHA.
Ā
Analysis by Michael Johnson
