TSPY_BOOTKOR.AF

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates an event. It deletes itself after execution.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

• %System%\gbp.ini
• %System%\golfinfo.ini
• %System%\{random filename1}.dll - also detected as TSPY_BOOTKOR.AF
• %System%\{random filename2}.exe - also detected as TSPY_BOOTKOR.AF
• %System%\{random filename1}.exe - also detected as TSPY_BOOTKOR.AF

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This spyware creates the following service using its DLL component:

• ServiceName={random}
• Binary Path="%SystemRoot%\System32\svchost.exe -k {random}"

Other System Modifications

This spyware modifies the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Cookies = "C:\Documents and Settings\LocalService\Cookies"

(Note: The default value data of the said registry entry is "C:\Documents and Settings\NetworkService\Cookies".)

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Cache = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"

(Note: The default value data of the said registry entry is "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files".)

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
{random2} = "{random1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}
NextInstance = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000
Service = "{random1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000
Legacy = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000
ConfigFlags = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000
DeviceDesc = "{random3}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random1}\
0000\Control
ActiveService = "{random1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random1}
ImagePath = "%System%\svchost.exe -k {random2}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random1}
DisplayName = "{random3}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random1}\Parameters
ServiceDll = "%System%\{random filename1}.dll"

Information Theft

This spyware sends the gathered information to the following site/s using credentials from its configuration file:

• {BLOCKED}.{BLOCKED}.75.28
• {BLOCKED}.{BLOCKED}.109.4

Other Details

Based on analysis of the codes, it has the following capabilities:

• Collect system information and send to the specified remote servers.
• Update its copy.
• Capture Screenshots when the process PMCLIENT.EXE is found.

It checks for the presence of the following process(es):

• PMCLIENT.EXE

It creates the following event(s):

• "CupidIsInstalling"

It deletes itself after execution.