Virus:TR/PSW.Small.bs
Date discovered:08/01/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:19.240 Bytes
MD5 checksum:73dc2446341699857aaf39489508f7d7
VDF version:6.36.00.023
IVDF version:6.36.00.033

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: FormSpy
   •  Kaspersky: Trojan-PSW.Win32.Small.bs
   •  Sophos: Mal/Behav-044
   •  Grisoft: PSW.Generic2.REJ
   •  Eset: Win32/PSW.Small.NAD
   •  Bitdefender: Generic.Malware.SBg.56DBD99F


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\9129837.exe



It deletes the initially executed copy of itself.



The following files are created:

%malware execution directory%\a.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\hide_evr2.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Small.bs.SYS

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ttool"="%WINDIR%\9129837.EXE"



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\hide_evr2\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\hide_evr2]
   • "Type"=dword:00000001
     "Start"=dword:00000003
     "ErrorControl"=dword:00000000
     "ImagePath"="\??\%WINDIR%\hide_evr2.sys"
     "DisplayName"="!!!!"

– [HKLM\SYSTEM\CurrentControlSet\Services\hide_evr2\Enum]
   • "0"="Root\\LEGACY_HIDE_EVR2\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001



The following registry key is added:

– [HKCU\Software\Microsoft\InetData]
   • "k1"=%hex number%
   • "k2"=%hex number%



The following registry key is changed:

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

 Backdoor The following port is opened:

%WINDIR%\9129837.exe on a random TCP port in order to provide a Socks 4 proxy server.


Contact server:
All of the following:
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********
   • http://81.95.147.107/cgi-bin/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Cached passwords
    • Current malware status
    • Opened port
    • Collected information described in stealing section
    • Username
    • visited URLs


Remote control capabilities:
    • Upload file

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Login information

 Miscellaneous Internet connection:

It queries with the following names:
   • mc-in-f99.google.com
   • ip-147-107.rbnnetwork.com

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own process

– The following files:
   • %WINDIR%\9129837.exe
   • %WINDIR%\hide_evr2.sys

– The following registry value:
   • ttool


Method used:
    • Hidden from Windows API

Hooks the following API functions:
   • NtEnumerateValueKey/ZwEnumerateValueKey
   • NtQueryDirectoryFile/ZwQueryDirectoryFile
   • NtQuerySystemInformation/RtIGetNativeSystemInformation/ZqQuerySystemInformation

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Monday, January 8, 2007
Description updated by Monica Ghitun on Tuesday, January 9, 2007

Back . . . .