search

BKDR_CIMUZ

September 04, 2013
 ALIASES:

Insebro, BHO

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


The malware family CIMUZ is used to install a Browser Helper Object (BHO) in order to steal passwords, login credentials and financial information.

This spyware registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating registry keys/entries.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This spyware drops the following files:

  • %System%\iebho.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This spyware registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}

HKEY_CURRENT_USER\Software\AppDataLow

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url = "http://{BLOCKED}ckupforu.com/dgabbana/"

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url2 = “http://{BLOCKED}ckupforu.com/dgabbana/"

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url = "http://{BLOCKED}forsafedd.com/pickit/”

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url2 = "http://{BLOCKED}forsafedd.com/pickit/”

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url = "http://{BLOCKED}ckupforu.com/gabbanauk/”

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url2 = "http://{BLOCKED}ckupforu.com/gabbanauk/”

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url = "http://{BLOCKED}evinovat.com/pteradaptelfan/"

HKEY_CURRENT_USER\Software\AppDataLow\
BHOinit
url2 = "http://{BLOCKED}evinovat.com/pteradaptelfan/"

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\
InprocServer32
@ = "%System%\iebho.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{D032570A-5F63-4812-A094-87D007C23012}\InprocServer32
@ = "%System%\iebho.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Enable Browser Extensions = "yes"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{D032570A-5F63-4812-A094-87D007C23012}

HKEY_CLASSES_ROOT\CLSID\{D032570A-5F63-4812-A094-87D007C23012}

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}ickupforu.com/dgabbana/
  • http://{BLOCKED}ickupforu.com/gabbanauk/
  • http://{BLOCKED}iickupforu.com/dgabbana/
  • http://{BLOCKED}iickupforu.com/gabbanauk/
  • http://{BLOCKED}upforsafedd.com/pickit/
  • http://{BLOCKED}pforsafedd.com/pickit/
  • http://{BLOCKED}nevinovat.com/pteradaptelfan/
  • http://{BLOCKED}evinovat.com/pteradaptelfan/