TSPY_TEPFER.DH

 Analysis by: Jasen Sumalapao

 ALIASES:

Trojan:Win32/Malex.gen!E (Mirosoft), Trojan-PSW.Win32.Tepfer.apmh (Kaspersky), Trojan.Smoaler (Symantec), Mal/NecursDrp-A (Sophos), Trojan.Generic.KDV.673626 (FSecure), Trojan.Win32.Generic!SB.0 (Sunbelt), W32/Tepfer.A!tr.pws (Fortinet)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses a file name similar to a legitimate file to pass as a legitimate file.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

87,584 bytes

File Type:

EXE

Initial Samples Received Date:

17 Jul 2012

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

  • %User Profile%\Application Data\svchost.exe
  • %User Profile%\Application Data\System32\csrss.exe
  • %User Profile%\Application Data\System32\rundll32.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\Application Data\System32

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It uses a file name similar to a legitimate file to pass as a legitimate file.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Client Server Runtime Process = %User Profile%\Application Data\System32\csrss.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Host-process Windows (Rundll32.exe) = %User Profile%\Application Data\System32\csrss.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Service Host Process for Windows = %User Profile%\Application Data\svchost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Client Server Runtime Process = %User Profile%\Application Data\System32\csrss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Host-process Windows (Rundll32.exe) = %User Profile%\Application Data\System32\csrss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Service Host Process for Windows = %User Profile%\Application Data\svchost.exe

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\BC Clients
{random 1 digit character} = {random garbage look alike characters}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Client Server Runtime Process = %User Profile%\Application Data\System32\csrss.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Host-process Windows (Rundll32.exe) = %User Profile%\Application Data\System32\csrss.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Service Host Process for Windows = %User Profile%\Application Data\svchost.exe

Other Details

This spyware deletes itself after execution.