TSPY_TEPFER.DH
Trojan:Win32/Malex.gen!E (Mirosoft), Trojan-PSW.Win32.Tepfer.apmh (Kaspersky), Trojan.Smoaler (Symantec), Mal/NecursDrp-A (Sophos), Trojan.Generic.KDV.673626 (FSecure), Trojan.Win32.Generic!SB.0 (Sunbelt), W32/Tepfer.A!tr.pws (Fortinet)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses a file name similar to a legitimate file to pass as a legitimate file.
It deletes itself after execution.
TECHNICAL DETAILS
87,584 bytes
EXE
17 Jul 2012
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following copies of itself into the affected system and executes them:
- %User Profile%\Application Data\svchost.exe
- %User Profile%\Application Data\System32\csrss.exe
- %User Profile%\Application Data\System32\rundll32.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %User Profile%\Application Data\System32
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It uses a file name similar to a legitimate file to pass as a legitimate file.
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Client Server Runtime Process = %User Profile%\Application Data\System32\csrss.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Host-process Windows (Rundll32.exe) = %User Profile%\Application Data\System32\csrss.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Service Host Process for Windows = %User Profile%\Application Data\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Client Server Runtime Process = %User Profile%\Application Data\System32\csrss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Host-process Windows (Rundll32.exe) = %User Profile%\Application Data\System32\csrss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Service Host Process for Windows = %User Profile%\Application Data\svchost.exe
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\BC Clients
{random 1 digit character} = {random garbage look alike characters}
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Client Server Runtime Process = %User Profile%\Application Data\System32\csrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Host-process Windows (Rundll32.exe) = %User Profile%\Application Data\System32\csrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Service Host Process for Windows = %User Profile%\Application Data\svchost.exe
Other Details
This spyware deletes itself after execution.