TROJ_AGENT.WEE

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware.

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
WIFIServiceAP = "{malware path and file name}"

NOTES:

Installation

This malware is normally installed under the following file names:

• %System%\wifiap.exe (other operating system versions)
• %User Profile%\temp\wifiap.exe (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

It creates the following folders if the operating system is Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2:

• %User Profile%\temp

It drops the following files if the operating system is Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2:

• %User Profile%\temp\wifiap.dll
• %User Profile%\temp\wifimon.exe

If the operating system is other than the ones mentioned above, it drops the following files instead:

• %System%\wifiap.dll
• %System%\wifiap.exe

The dropped files are also detected by Trend Micro as TROJ_AGENT.WEE.

Other Details

It executes the following files:

• %System%\wifimon.exe (other operating system versions)
• %User Profile%\temp\wifimon.exe (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

The dropped file wifimon.exe monitors the execution of the dropper file. If the dropper file terminates, it immediately executes a new copy of it.

If the dropped file wifimon.exe is executed with the command-line parameter -x, all executing copies of wifimon.exe will terminate.

It loads the dropped DLL %User Profile%\temp\wifiap.dll or %System%\wifiap.dll to execute the exported function iinit.

It executes the following file to get information about the system:

• %System%\systeminfo.exe

The gathered system information is composed of the following:

• Available Physical Memory
• BIOS Version
• Boot Device
• Domain
• Host Name
• Hotfix(s)
• Input Locale
• Logon Server
• NetWork Card(s)
• Original Install Date
• OS Build Type
• OS Configuration
• OS Manufacturer
• OS Name
• OS Version
• Page File Location(s)
• Processor(s)
• Product ID
• Registered Organization
• Registered Owner
• System Directory
• System Locale
• System Manufacturer
• System Model
• System type
• System Up Time
• Time Zone
• Total Physical Memory
• Virtual Memory: Available
• Virtual Memory: In Use
• Virtual Memory: Max Size
• Windows Directory

The gathered system information is encrypted and saved in the following files:

• %System%\WF-update.log (other operating system versions)
• %User Profile%\temp\WF-update.log (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

The machine name and IP address are both encrypted and saved in the following file:

• %System%\wifiap.rif (other operating system versions)
• %User Profile%\temp\wifiap.rif (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

It accesses the following URL to check if it can access its server:

• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/xinit.php

It creates directories in the server by connecting to the following URL:

• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/mkdir.php?dir=/img/parts/opt/tsu
• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/mkdir.php?dir=/img/parts/opt/tsu/{computer name}-{IP address}
• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/touch.php?dir=/img/parts/opt/tsu/{computer name}-{IP address}

It then checks if the gathered system information is already uploaded by connecting to the following URL, which returns the size of the file WF-update.log in the server:

• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/fsize.php?name=/img/parts/opt/tsu/{computer name}-{IP address}/WF-update.log

If the returned file size is zero, it uploads the file %User Profile%\temp\WF-update.log or %System%\WF-update.log via HTTP POST to the following URL:

• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/postit3.php

If the upload was successful, it deletes the following files:

• %System%\WF-update.log (other operating system versions)
• %User Profile%\temp\WF-update.log (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

It accesses the following URLs to download and execute files:

• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/srd/index.xl
• http://www.{BLOCKED}-trv.co.jp/img/parts/opt/tsu/{computer name}-{IP address}/b/index.xl

However, as of this writing, the two URLs only return an error, and files are not downloaded.

All replies from the server www.{BLOCKED}-trv.co.jp are temporarily saved in the following file:

• %System%\wifiap.$$$ (other operating system versions)
• %User Profile%\temp\wifiap.$$$ (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)