Virus:TR/PSW.Bedruger.2
Date discovered:27/06/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:23.184 Bytes
MD5 checksum:b49d3526ce011d76063d8081333a9ef4
VDF version:6.31.00.112

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: PWS-MMThief
   •  Kaspersky: Trojan-Spy.Win32.Agent.ei
   •  Sophos: Trojan-Spy.Win32.Agent.ei
   •  VirusBuster: trojan TrojanSpy.Agent.QJV
   •  Bitdefender: Trojan.Spy.Agent.EI


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\SVCH0ST.EXE



It deletes the initially executed copy of itself.



The following file is created:

– Non malicious file:
   • %SYSDIR%\mmdat.dat

%SYSDIR%\ntdll32.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Agent.GD

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "SVCHOST"="%SYSDIR%\SVCH0ST.EXE"



The following registry key is changed:

– [HKCR\exefile\shell\open\command]
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%SYSDIR%\SVCH0ST.EXE %1 %*"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender address is spoofed.
The sender of the email is the following:
   • mimathief@mimathief.com


To:
The recipient of the email is the following:
   • vicimax@163.com


Subject:
The following:
   • %chinese text%



Body:

 
The body of the email is the following:

   • %chinese text%: %stolen information%
     %visited URL%
     %chinese text%: %stolen information%
     %chinese text%: %stolen information%



The email looks like the following:


 Mailing MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
   • 163.com

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Browser window
    • Login information

 Injection –  It injects the following file into a process: %SYSDIR%\ntdll32.dll

    Process name:
   • %all running processes%


 Miscellaneous Mutex:
It creates the following Mutex:
   • MimaThief

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PEcompact

Description inserted by Gabriel Mustata on Friday, November 10, 2006
Description updated by Gabriel Mustata on Thursday, November 16, 2006

Back . . . .