Trojan:Win32/Wisp.gen!A is a generic detection for a trojan family that steals system information from the compromised computer, allowing an attacker to gain unauthorized access to the system in order to perform various malicious actions, including downloading and uploading files.
Installation
When executed, Trojan:Win32/Wisp.gen!A copies itself to the %TEMP% directory, and then modifies the registry so this copy is executed at each Windows start. In the wild, it has copied itself using file names such as those listed below:
- adobeupdate.exe
- nsunday.exe
- msasp.exe
- ctrl.exe
- eparty.exe
It then makes the following registry modification so that this dropped copy is executed at each windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <filename>
With data: %TEMP%\<filename.exe> -installkys
For example, if it copies itself to %TEMP%\adobeupdate.exe, it makes the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: adobeupdate
With data: %TEMP%\adobeupdate.exe -installkys
The trojan then drops a DLL in the %TEMP% directory, setting its creation date and time to that of svchost.exe. The file name of this DLL also varies, and can have a name such as:
- bsunday.dll
- nsunday.dll
- wofaxgui.dll
- epart.dll
- wracing.dll
The trojan checks if the following processes are running, and injects this DLL into the memory space of one of them:
- iexplore.exe
- outlook.exe
- firefox.exe
This DLL is also detected as Trojan:Win32/Wisp.gen!A and performs the main payload.
Payload
Steals system information
Trojan:Win32/Wisp.gen!A contacts a script on a particular domain through HTTPS (Hypertext Transfer Protocol Secure) in order to send sensitive information retrieved from the system. Domains it may contact include:
- hotgreenlight.com
- defense-association.com
- marinetimemac.com
- mysundayparty.com
Information it sends to these domains includes:
- Computer name
- I.P.address
- Proxy server and port number
Backdoor functionality
Trojan:Win32/Wisp.gen!A downloads a configuration file that may contain commands instructing the trojan to perform the following actions on the compromised computer:
- Download files
- Upload files
- Execute commands through the command prompt
- Get a list of processes running on the system
- Reboot the system
- Steal passwords
- Terminate processes
- Retrieve the Remote Desktop Control (RDP) listening port number
Additional information
The trojan creates and deletes a number of files in the %TEMP% directory during its execution, using them to store configuration data and other information gathered by the trojan from the computer. For example, one sample was observed to create the following files:
- pdnsunday.tmp
- gdnsunday.tmp
- pnsunday.tmp
- gnsunday.tmp
Analysis by Amir Fouda
