Analysis by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 207,874 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 28 May 2012

Arrival Details

This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This hacking tool drops the following files:

  • %System Root%\ProgramData\Microsoft\Windows\NetCC437.dll
  • %System Root%\ProgramData\Microsoft\Windows\QQlive.exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

  • %System Root%\ProgramData
  • %System Root%\ProgramData\Microsoft
  • %System Root%\ProgramData\Microsoft\Windows
  • %System Root%\ProgramData\Microsoft\Windows\Common

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other System Modifications

This hacking tool adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Security\
Log
u={email address entered}|p={password entered} = "CBMail"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_EVNTSYSAPP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CliSysapp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EvntSysapp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\metSvcUpdate

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NetMon

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RegUpdate

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SessionLog

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W32Update