Virus:TR/PSW.Small.BS.3
Date discovered:12/09/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:24.236 Bytes
MD5 checksum:782aa60074ea0620b2c974bf9f17507a
VDF version:6.35.01.216
IVDF version:6.35.01.220 - Wednesday, September 13, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Mcafee: Spy-Agent.bg


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\9129837.exe



It deletes the initially executed copy of itself.



The following file is created:

%WINDIR%\hide_evr2.sys Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Small.BS.3

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • ttool = %WINDIR%\9129837.exe



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\hide_evr2]
   • Type = 1
   • Start = 3
   • ErrorControl = 0
   • ImagePath = \??\%WINDIR%\hide_evr2.sys
   • DisplayName = !!!!

– [HKLM\SYSTEM\ControlSet001\Services\hide_evr2\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\ControlSet001\Services\hide_evr2\Enum]
   • 0 = Root\LEGACY_HIDE_EVR2\0000
   • Count = 1
   • NextInstance = 1



The following registry key is added:

– [HKCU\Software\Microsoft\InetData]
   • k1 = %hex number%
   • k2 = %hex number%



The following registry key is changed:

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • Start = %user defined settings%
   New value:
   • Start = 4

 Process termination  The following service is disabled:
   • Security Center

 Backdoor The following port is opened:

%WINDIR%\9129837.exe on a random TCP port in order to provide a Socks 5 proxy server.


Contact server:
All of the following:
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********

As a result it may send information and remote control could be provided.

Sends information about:
    • Cached passwords
    • Opened port
    • Collected information described in stealing section


Remote control capabilities:
    • Download file
    • Execute file

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function

 Rootkit Technology Hides the following:
– Its own process

– The following files:
   • 9129837.exe
   • hide_evr2.sys

– The following registry value:
   • ttool


Method used:
    • Hidden from Windows API

Hooks the following API functions:
   • NtEnumerateValueKey / ZwEnumerateValueKey
   • NtQueryDirectoryFile / ZwQueryDirectoryFile
   • NtQuerySystemInformation / RtlGetNativeSystemInformation

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Wednesday, September 27, 2006
Description updated by Andrei Gherman on Wednesday, September 27, 2006

Back . . . .