TSPY_HESBOT.E

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Windows%\{random foldername}\{random filename}.exe ← detected also as TSPY_HESBOT.E

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following processes:

• attrib.exe
• explorer.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\lock_{random characters}
• Global\inst_{random characters}
• Global\{random characters}.mutex
• Global\{random characters}

It is injected into the following processes running in memory:

• (created) explorer.exe
• (original) explorer.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%Windows%\{random foldername}\{random filename}.exe"

Dropping Routine

This Trojan drops the following files:

• %All Users Profile%\Application Data\Sun\{random characters}.bkp ← encrypted file
• %All Users Profile%\Application Data\{random folder name}\{random characters}.dat ← encrypted file

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This Trojan gathers the following data:

• Computer name
• System install date
• System Version
• Processor information
• Machine GUID
• Digital Product ID

Other Details

This Trojan connects to the following URL(s) to check for an Internet connection:

• yahoo.com
• microsoft.com
• facebook.com
• wikipedia.org
• google.com

It connects to the following website to send and receive information:

• http://{BLOCKED}ost.net:443 - inaccessible

NOTES:

This spyware checks if the following files exist in the system before injecting its code:

• %System%\drivers\cmdguard.sys
• %System%\drivers\klif.sys

It injects its code through different methods depending on the existence of the said files.

This spyware has the capability to do any of the following:

• Download configuration file
• Download component malware
• Download updated copy of itself