TROJ_BSCOPE.JW

 Analysis by: Jasen Sumalapao

 ALIASES:

Backdoor:Win32/Moudoor.C (Microsoft), Downloader (Symantec), Troj/Moudoor-A (Sophos), Gen:Variant.Strictor.4141 (FSecure), Trojan.Win32.Generic!BT (Sunbelt), PUA.Win32.Packer.Upx-28 (Clamav), W32/Farfli.OG (Fortinet), Win32.SuspectCrc (Ikarus), Win32/Farfli.OG trojan (NOD32), Trojan W32/Suspicious_Gen5.EZEZ (Norman)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It deletes registry entries, causing some applications and programs to not function properly.

  TECHNICAL DETAILS

File Size:

90,624 bytes

File Type:

EXE

Initial Samples Received Date:

18 Jul 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %User Temp%\svohost.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following file(s)/component(s):

  • %User Temp%\auto.dat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes running in the affected system's memory:

  • csrss.exe
  • lsass.exe

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Update = %User Temp%\svohost.exe

Other System Modifications

This Trojan deletes the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
TabletWizard = %windir%\help\wizard.hta

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ctfmon.exe = %System%\ctfmon.exe

Backdoor Routine

This Trojan connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}.{BLOCKED}.155.59