TEQUILA
Zopharp, BamCompiled
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
TEQUILA is bot malware which made headlines after targeting Mexico's financial institutions in 2010. The botnet particularly targeted the country's local Paypal site and the country's largest bank, Bancomer.
This malware connects to a C&C server in order to receive commands that can control the affected system. These commands may include downloading configuration files, deleting files, sending messages via MSN messenger, and downloading and executing other files.
It may steal information such as the IP address, IP location, country, and the computer name of the affected system.
This malware can download other malware like ZBOT and FAKEAV variants, making the affected system more vulnerable to other threats.
TECHNICAL DETAILS
Installation
This spyware drops the following files:
- %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\register.bat
- %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\register.vbs
- %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\svxhost.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It creates the following folders:
- %Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svxhost = "%Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\svxhost.exe"
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\WinRAR SFX
%Windows%WinSxS%x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53% = "%Windows%\WinSxS\x86_svxhost.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53"
It adds the following registry keys as part of its installation routine:
HKEY_CURRENT_USER\Software\WinRAR SFX
Other Details
This spyware connects to the following possibly malicious URL:
- http://www.{BLOCKED}ess.com/
- http://{BLOCKED}o.{BLOCKED}php.com/
- http://{BLOCKED}i.{BLOCKED}php.com/
- http://{BLOCKED}o.{BLOCKED}php.com/