Installation
Win32/Derusbi is a multi-component malware family. It uses different trojans to perform the following actions:
- Disable security products
- Gain remote access to your PC
- Monitor web traffic and log your keystrokes
- Connect to a remote server
The downloaded files will differ depending on the instructions from a malicious hacker.
Some variants try to pose as a legitimate install by dropping themselves in folder names such as:
We have seen some variants replace legitimates files bypassing the system file checker, such as:
The following are examples of file names we have seen being used by these threats:
Win32/Derusbi encrypts its components to avoid antimalware scanners. It decrypts the files in memory when it needs to use them.
Registry modifications
Variants can modify the following registry entries so that they run each time you start your PC:
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: LoadAppInit_DLLs
With data: "1"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: AppInit_DLLs
With data: "<malware path>", for example %APPDATA%\Intel\jloadl.dat
Some variants install themselves as a service via the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
Sets value: "ServiceDll"
With data: "%windir%\system32\<malware file>", for example %windir%\system32\msusbgub.dat
Variants that replace an existing service file such as <system folder>\mspmsnsv.dll also modify the fllowing registry entry so that they run each time you start your PC:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN\
Sets value: "Start"
With data: "2"
Some variants use the startup folder by modifying the following link file with the malware path:
Payload
Connects to a remote server
Win32/Derusbi includes a backdoor component which can do the following:
- Update itself
- Receive configuration or other data
- Download and run other malware files
- Upload data taken from your PC
- Receive instructions from a malicious hacker
Steals sensitive information
Win32/Derusbi gathers sensitive information from your PC and sends it to a remote server. It checks the registry, running processes, and queries your PC in order to gather this data. We have seen variants gathering the following information from infected PCs:
-
I.P. addresses
-
IE Proxy Server settings
-
Installed antimalware software names
-
Language settings
-
MAC address
-
Screenshots
-
Stored Internet Explorer Autocomplete usernames and passwords
-
User login names
-
User names and passwords for the system's default mail account, MSN and Outlook
-
Version of Windows
Variants can also log the keystrokes that you enter into any active window on your PC. The collected information is saved to a local file, for example %windir%\Temp\ziptmp$1.tmp21.
They also search for files with the following extension and sends the files to a remote machine via the backdoor component:
-
.doc
-
.docx
-
.ppt
-
.pptx
-
.xls
-
.xlsx
Analysis by Alden Pornasdoro