AIBATOOK
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
AIBATOOK variants are known for data theft or stealing banking account information. It may also gather infected system's information such as its MAC Address, operating system (OS) version, and it also checks if any anti-malware software is installed. The most common behavior of this family is that it drops its DLL component in the Application Data folder. It also drops an INI.INI file which serves as its configuration file. After the information has been gathered, it then connects and send the data to its C&C servers.
This spyware deletes registry entries, causing some applications and programs to not function properly.
TECHNICAL DETAILS
Installation
This spyware drops the following files:
- %Application Data%\{random file name}.dll
- %Application Data%\ini.ini
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Other System Modifications
This spyware adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
TcpIpCfg = "Rundll32 "%Application Data%\{random file name}.dll" MainThread"
It modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyOverride = ""
(Note: The default value data of the said registry entry is <-loopback>;.)
HKEY_CURRENT_CONFIG\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is 1.)
It deletes the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyServer = "http=127.0.0.1:8888;https=127.0.0.1:8888"
Other Details
This spyware connects to the following possibly malicious URL:
- http://www.{BLOCKED}001.info/ini.txt
- http://www.{BLOCKED}tj.info/mail.asp?MAC={MAC Address}&VER={OS Version}
- http://www.{BLOCKED}oo.com/get.asp?CardNum={Card Number}&Q1={Security Question 1}&A1={Answer to Security Question 1}&Q2={Security Question 2}&A2={Answer to Security Question 2}&LoginPass={Password}&PayPass={Password}&VER={Version}
- http://www.{BLOCKED}g.com/get.asp?CardNum={Card Number}&Q1={Security Question 1}&A1={Answer to Security Question 1}&Q2={Security Question 2}&A2={Answer to Security Question 2}&LoginPass={Password}&PayPass={Password}&VER={Version}