Short description
The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
The trojan creates the following folders:
The trojan creates the following files:
- %system%lowsecuser.ds.lll
- %system%lowsecuser.ds
- %system%lowseclocal.ds
The following Registry entry is set:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionWinlogon]
"Userinit" = "%system%userinit.exe, %system%sdra64.exe"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionNetwork]
"UID" = "%computername%_%variable%"
- [HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
CurrentVersionExplorer{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
"{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionNetwork]
"UID" = "%computername%_%variable%"
- [HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
CurrentVersionExplorer{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
"{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
"{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
- [HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
CurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
"{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
"{33373039-3132-3864-6B30-303233343434}" = %hex_value2%
- [HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
CurrentVersionInternet Settings]
"ProxyEnable" = 0
The trojan creates and runs a new thread with its own program code within the following processes:
- winlogon.exe
- svchost.exe
- explorer.exe
Information stealing
The trojan collects sensitive information when the user browses certain web sites.
The trojan can send the information to a remote machine. The FTP protocol is used.
Other information
The trojan hooks the following Windows APIs:
- NtCreateThread (ntdll.dll)
LdrLoadDll (ntdll.dll)
LdrGetProcedureAddress (ntdll.dll)
NtQueryDirectoryFile (ntdll.dll)
- NtCreateThread (ntdll.dll)
LdrLoadDll (ntdll.dll)
LdrGetProcedureAddress (ntdll.dll)
NtQueryDirectoryFile (ntdll.dll)
- send (wsock32.dll)
sendto (wsock32.dll)
closesocket (wsock32.dll)
- send (ws2_32.dll)
sendto (ws2_32.dll)
WSASend (ws2_32.dll)
WSASendTo (ws2_32.dll)
closesocket (ws2_32.dll)
- HttpSendRequestW (wininet.dll)
HttpSendRequestA (wininet.dll)
HttpSendRequestExW (wininet.dll)
HttpSendRequestExA (wininet.dll)
InternetReadFile (wininet.dll)
InternetReadFileExW (wininet.dll)
InternetReadFileExA (wininet.dll)
InternetQueryDataAvailable (wininet.dll)
InternetCloseHandle (wininet.dll)
HttpQueryInfoA (wininet.dll)
HttpQueryInfoW (wininet.dll)
- TranslateMessage (user32.dll)
GetClipboardData (user32.dll)
The following services are disabled:
The trojan contains an URL address. It tries to download a file from the address. The HTTP protocol is used.
The file is stored in the following location:
The trojan is sent data and commands from a remote computer or the Internet.
It can execute the following operations:
- monitor network traffic
- redirect traffic
- capture screenshots
- send files to a remote computer
- download files from a remote computer and/or Internet
- retrieve information from protected storage and send it to the
remote computer
- steal information from Windows clipboard
The trojan may create and run a new thread with its own program code within any running process.
