Win32/Spy.Bzub.NAC

Aliases:	Trojan-Spy.Win32.BZub.bs (Kaspersky), Spy-Agent.ak (McAfee), Infostealer.Bzup (Symantec)
Type of infiltration:	trojan
Size:	80600 B
Affected platforms:	Microsoft Windows
Signature database version:	1.1707
Short description:	Win32/Spy.BZub.NAC is a trojan that steals passwords and other sensitive information.

Installation

The following file is dropped in the %system% folder:

agent_dq.dll

It is a Browser Helper Object for Internet Explorer. Size of the file is 60928 B.

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73364D99-1240-4dff-B11A-67E448373048}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\

InprocServer32]
(Default) = "%system%\ipv6mons.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\

InprocServer32]
"ThreadingModel" = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\

InprocServer32]
"Enable Browser Extensions" = "yes"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\

Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = "C:\Program Files\Internet Explorer\

IEXPLORE.EXE:*:Enabled:Internet Explorer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\loadnet_insll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\worg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\cmpid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\forwas]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\h]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\nw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\wspopp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

browser helper obJects\{73364D99-1240-4dff-B11A-67E448373048}]

Information stealing

The trojan collects various information when Internet Explorer is being used to access the following sites:

app/ueberweisung.input.do,app/ueberweisung.prep.do
banking.postbank.de,
banking.postbank.de/app/finanzstatus.reduziert.init.do,
banking.postbank.de/app/kontoumsatz.umsatz.init.do,
banking.postbank.de/app/legitimation.input.do,
banking.postbank.de/app/ueberweisung.quittung.do,
e-gold.com/acct/acct.asp,
https://*.netbank.commbank.com.au/netbank/bankmain,
https://banking.postbank.de/app/finanzstatus.init.do,
https://banking.postbank.de/app/kontoumsatz.umsatz.init.do,
https://banking.postbank.de/app/welcome.do,
https://signin.ebay*/ws/eBayISAPI.dll,postbank.de

Some information is found in local files too. The following information is collected:

passwords ,URLs visited ,HTML forms content ,computer name ,computer IP, address ,Outlook Express accounts data ,digital certificates

The data is saved in the %system% folder in the following files:

form.txt,info.txt,shot.html

The trojan can upload the information to a remote machine. The FTP protocol is used.

Other information

The trojan may attempt to delete all files on the C: drive and various program files.

Win32/Stration.ET

Aliases:	Email-Worm.Win32.Warezov.gen (Kaspersky), W32/Stration@MM (McAfee), W32.Stration@mm (Symantec)
Type of infiltration:	worm
Size:	116320 B
Affected platforms:	Microsoft Windows
Signature database version:	1.1775
Short description:	Win32/Stration.ET is a worm that spreads via e-mail.

Installation :When executed, the %windir% copies itself in the folder using the following filename : t2serv.exe

The following files are dropped in the same folder:

t2serv.dll
t2serv.wax
t2serv.s

The following files are dropped in the %system% folder:

kbdaqosn.dll
mqpeh323.dll
vjoyslay.exe

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"t2serv" = "%windir%\t2serv s"

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "kbdaqosn.dll e1.dll"

A Notepad window with random text is displayed.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.adb,.asp,.cfg,.cgi,.dbx,.dhtm,.eml,.htm,.html,.jsp,.mbx,.mdx,
.msg,.nch,.ods,.oft ,.php,.sht,.shtm,.stm,.tbb ,.txt,.uin .wab,.wsh,.xls,.xml

Addresses containing the following strings are avoided:

.edu,.gov,.mil,@avp,@foo,admin,anyone@,apache,berkeley,bsd,bugs@
cafee,certific,contact,contract@,example,fido,ftp,gnu,gold-certs
google,help,help@,ibm.com,icrosoft,info@,kasp,kernel,linux,local
master,mozilla,mydomai,news,nobody,noone,noreply,panda,pgp,privacy
rating,rfc-ed,ripe.,root@,samples,secure,sendmail,service,somebody
someone,spam,support,unix,update,update,usenet,winrar,winzip,www
xx,you,your

Strings from the following 4 lists may be used to form the sender address:

sec,serv,secur,adam ,alice ,anna ,betty ,bob ,brenda ,brent brian,carol ,claudia ,craig ,cyber ,dan ,dave ,david ,debby den,Donn,frank,george,gerhard,helen,james,jane,jayson,jerry
jim,joe,john,karen,linda,lisa,mancy,maria,ruth,sandra,sharon
Susan,adams,allen,anderson,baker,carter,clark,garcia,gonzalez,
green,,hall,harris,hernandez,hill,jackson,jeremy,joe,kenneth
king,lee,lewis,lopez,martin,martinez,miller,molly,moore,nelson
robinson,,robyn,rodriguez,scott,shaan,taylor,thomas,thompson
walker,white,wilson,wright ,young,areainc.com,,logoluso.com
heatwave.com,megaman.com,scholzes.com,guierfence.com,tjh.com
phazen.net,fcradio.net,niet.com,gametemple.com,midmich.net
vieng.com,elamex.com,sycamorepd.com,selectplans.com
motorsportwarehouse.com,telcan.com,iinet.net.au,firstclassmoving.com

Subject of the message is one of the following:

Mail server report,Server Report,Mail Delivery System,test
picture,hello,Status,Error,Good day,Mail Transaction Failed

Body of the message is one of the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sentas a binary attachment.

The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

The attachment is either an executable of the worm, or a ZIP archive containing it. Its filename is one of the following:

body,data,doc,docs,document,file,message,readme,test,text,Update-KB-abcd-x86

The "abcd" stands for a variable four digit number. If an archive is attached, the name has the following extension:

.zip

If an executable is attached, a double extension may be used. The first is one of the following:

dat,doc,elm,log,msg,txt

The second is one of the following:

bat,cmd,exe,pif,scr

Other information

The worm quits immediately if any of the following applications is detected:

Outpost Firewall,McAfee Personal Firewall,Kerio Winroute Firewall,ZoneAlarm,Sygate Personal Firewall,Norton Internet Security

The following programs are terminated:

nod32krn,avginet,avgupsvc,upgrader,drwebupw,spiderml,autodown
kav,mcupdate,tbmon,wuauclt,wuauclt1,wupdmgr

The worm contains a list of URLs. It tries to download several files from the addresses. The files are then executed.