Virus:TR/Spy.Haxspy.AE
Date discovered:21/07/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:10.824 Bytes
MD5 checksum:9471026d4c6e1911e317af28ac259a6b
VDF version:6.34.01.155
IVDF version:6.34.01.161 - Tuesday, May 30, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Goldun
   •  Kaspersky: Trojan-Spy.Win32.Haxspy.ae
   •  TrendMicro: TSPY_GOLDUN.AO
   •  VirusBuster: TrojanSpy.Haxspy.Y
   •  Bitdefender: Trojan.Spy.Haxspy.AE


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information

 Files The following file is created:

%SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Bolol.A.4

%SYSDIR%\ipudpb2.sys Detected as: TR/Spy.Haxspy.AE

 Registry The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control]
   • "isfr2"="[%random character string%[%current username% ]"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   wndtx1]
   • "DllName"=wndtx1.dll
   • "Startup"="wndtx1"
   • "Impersonate"=dword:00000001
   • "Asynchronous"=dword:00000001
   • "MaxWait"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2]
   • "Type"=dword:00000001
   • "Start"=dword:00000001
   • "ErrorControl"=dword:00000000
   • "ImagePath"=\??\%SYSDIR%\IPUDPB2.SYS
   • "DisplayName"="IP2 UDPB2"

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum]
   • "0"="Root\\LEGACY_IPUDPB2\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
   Old value:
   • "PendingFileRenameOperations"=%hex values%
   New value:
   • "PendingFileRenameOperations"=%hex values%

 Backdoor Contact server:
The following:
   • http://www.salidol.biz/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Current user
    • Collected information described in stealing section
    • Information about the Windows operating system

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– A logging routine is started after one of the following websites are visited:
   • http://www.e-gold.com
   • %any HTTPS website that contains a login form%

– It captures:
    • Window information
    • Browser window
    • Login information

 Injection –  It injects the following file into a process: %SYSDIR%\wndtx1.dll

    All of the following processes:
   • iexplore.exe
   • %all processes started after malware is active in memory%


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:


Method used:
    • Hidden from Windows API

Hooks the following API functions:
   • NtCreateProcess
   • NtCreateProcessEx
   • ZwCreateProcess
   • ZwCreateProcessEx

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Monica Ghitun on Friday, July 21, 2006
Description updated by Monica Ghitun on Wednesday, August 2, 2006

Back . . . .