Virus:TR/PSW.Raven.A
Date discovered:10/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:31.913 Bytes
MD5 checksum:8b0908665655c086ae2277f913ec9a86
VDF version:6.34.00.26

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-PSW.Win32.Raven.a


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\msoff.exe



The following files are created:

– %ALLUSERSPROFILE%\Documents\Settings\raven2BGps This is a non malicious text file with the following content:
   • %stolen information%

– %ALLUSERSPROFILE%\Documents\Settings\raven2BGlog_temp%random character string% This is a non malicious text file with the following content:
   • %stolen information%

%TEMPDIR%\jav2.tmp Further investigation pointed out that this file is malware, too.
– %ALLUSERSPROFILE%\Documents\Settings\desktop.ini Contains parameters used by the malware.
– %ALLUSERSPROFILE%\raven2BG_%random character string%dat This file serves as flag for an internal routine.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Microsoft Office = %SYSDIR%\msoff.exe

 Backdoor The following port is opened:

– svchost.exe on a random TCP port in order to provide a Socks 5 proxy server.


Contact server:
All of the following:
   • http://downboost.com/m/**********
   • ftp://dust.downboost.com

As a result it may send some information.

Sends information about:
    • Created logfiles
    • Current user
    • IP address
    • Opened port
    • Information about the Windows operating system


Remote control capabilities:
    • Start keylog

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after a website is visited, which contains the following substring in its URL:
   • %given parameter%

– It captures:
    • Window information
    • Login information

 Injection –  It injects the following file into a process: %TEMPDIR%\jav2.tmp

    All of the following processes:
   • svchost.exe
   • lsass.exe


 Miscellaneous Mutex:
It creates the following Mutexes:
   • raven2BG_mutex_file_fake
   • raven2BG_mutex_file_vk
   • raven2BG_mutex_file_body
   • raven2BG_mutex_file_afil
   • raven2BG_event_upd_fake
   • raven2BG_event_upd_vk
   • raven2BG_event_upd_body
   • raven2BG_event_upd_afil
   • raven2BG_event_upd_packs
   • raven2BG_event_kw

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG 2.0

Description inserted by Andrei Gherman on Wednesday, March 15, 2006
Description updated by Andrei Gherman on Wednesday, March 15, 2006

Back . . . .