TrojanSpy.Win32.BOYCHI.A

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

• %AppDataLocal%\Microsoft\Outlooka\

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %AppDataLocal%\Microsoft\Outlooka\nlashine.ini
• %AppDataLocal%\Microsoft\Outlooka\SysInfo_UP_22_16_11.pdf
• %AppDataLocal%\Microsoft\Outlooka\UP{Driver Letter}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "cmd /c systeminfo >> %AppDataLocal%\MICROS~1\Outlooka\SysInfo_UP_22_16_11.pdf"
• "powershell $dir = 'C:\Users\DYITUS~1\AppData\Local\MICROS~1\Outlooka\';$gps = @('A','B','C','D','E','F','G','H','I','H','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z');foreach ($gp in $gps){$drv = $gp + ':\';if([System.IO.Directory]::Exists($drv)){$path = $dir + '\UP' +$gp;tree /f "$drv" | Out-File -Encoding default-FilePath $path-Width 5000;} }
• "%System%\tree.com" /f {Available Driver Letter}:\

Autostart Technique

This Trojan Spy drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• %User Startup%\rdpclipe.exe.lnk
• %User Startup%\AWastUI.exe.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Download Routine

This Trojan Spy connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.48/ESOK/dwn.php?downfname=[(PC name)](user name)[IP address](random value}
• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.48/ESOK/del2.php?delfname=[(PC name)](usera name)[IP address](random value}

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan Spy gathers the following data:

• System information.
• All file and folder names in every available drives.

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.48/ESOK/post2.php

Other Details

This Trojan Spy does the following:

• The malware attempts to establish a connection with a server using the GET command in order to verify its status.
  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.48/ESOK/up2.php

However, as of this writing, the said sites are inaccessible.