TSPY_PHER
Nirava
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
The PHER family of Trojans arrive as downloaded files from malicious sites. Its main purpose is to download other files on an affected system. The downloaded files are used to either steal information or cause system damage.
TECHNICAL DETAILS
Varies
Yes
Connects to URLs/IPs, Downloads files
Installation
This spyware drops the following copies of itself into the affected system:
- %Program Files%\mcmst\{malware name}.exe
- %Program Files%\{malware name}.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It creates the following folders:
- %Program Files%\mcmst
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name}.exe = "%Program Files%\mcmst\{malware name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name}.exe = "%Program Files%\{malware name}.exe"
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\mcmst
date = "{date of execution}"
HKEY_LOCAL_MACHINE\SOFTWARE\sink
inchk = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\sink
"" =
HKEY_LOCAL_MACHINE\SOFTWARE\sink
inchkter = "1"
HKEY_LOCAL_MACHINE\SOFTWARE
inchk = "1"
HKEY_LOCAL_MACHINE\SOFTWARE
date = "{date executed}"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\mcmst
HKEY_LOCAL_MACHINE\SOFTWARE\sink
Other Details
This spyware connects to the following possibly malicious URL:
- http://{BLOCKED}r.com/
- http://www.{BLOCKED}r.com/
- http://{BLOCKED}buri.kr/ver/pver.php