TROJ64_VBUZKY.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It injects its dropped file/component to specific processes.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %User Temp%\dll.dll - also detected as TROJ64_VBUZKY.A
• %System%\vBszKyhVp.dll - also detected as TROJ64_VBUZKY.A

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• vBszKyhV

It injects its dropped file/component to the following processes:

• svchost.exe
• winlogon.exe
• explorer.exe

Autostart Technique

This Trojan registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINEsystem\currentcontrolset\services\
vBszKyhV
ImagePath = "%system%\drivers\vBszKyhV2.sys"

Other System Modifications

This Trojan modifies the following file(s):

• appends .crypted to the encrypted files

It adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\vBszKyhV

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}.{BLOCKED}.112.86/b7cc7b7b-7502-4eec-8a10-2776b43e1051
• http://{BLOCKED}.{BLOCKED}.112.86/a614ef1c-a9c8-48ad-911f-e44cb191c5af
• http://{BLOCKED}.{BLOCKED}.112.86/b273e158-8982-47e3-b47f-6e5b280920ee

It saves the files it downloads using the following names:

• %system%\drivers\vBszKyhV2.sys - also detected as TROJ64_VBUZKY.A
• vBszKyhV1.exe - also detected as TROJ64_VBUZKY.A
• vBszKyhV2.exe - also detected as TROJ64_VBUZKY.A
• vBszKyhV.dll - also detected as TROJ64_VBUZKY.A

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Information Theft

This Trojan gathers the following data:

• OS Version
• Screen resolution
• File versions of the follownig files:
  • win32k.sys
  • ntoskrnl.exe
  • ntkrnlpa.exe
  • ntkrnlmp.exe
  • ntkrpamp.exe

Stolen Information

This Trojan sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}.{BLOCKED}.93.16:9007/ar.do
• http://{BLOCKED}.{BLOCKED}.93.16:9007/fv.do

Other Details

This Trojan encrypts files with the following extensions:

• avi
• wmv
• aaf
• 3gp
• asf
• avchd
• dsh
• flv
• m1v
• m2v
• fla
• flr
• sol
• m4v
• mkv
• wrap
• mng
• mov
• mpeg
• mpg
• mpe
• mp4
• mxf
• roq
• nsv
• ogg
• rm
• svi
• smi
• swf

NOTES:

This Trojan downloads the lock screen image from any of the following URLs depending on the system's screen resolution:

• http://{BLOCKED}.{BLOCKED}.112.86/en/768x1024.bmp.gz
• http://{BLOCKED}.{BLOCKED}.112.86/en/1024x768.bmp.gz
• http://{BLOCKED}.{BLOCKED}.112.86/en/1152x864.bmp.gz
• http://{BLOCKED}.{BLOCKED}.112.86/en/1280x800.bmp.gz
• http://{BLOCKED}.{BLOCKED}.112.86/en/1280x1024.bmp.gz
• http://{BLOCKED}.{BLOCKED}.112.86/en/1366x768.bmp.gz

It attempts to use Shell_TrayWnd injection. It enables TESTSIGNING option of Windows 7. It then restarts the system after execution of all routines.

It displays the following lock screen image: