Analysis by: Christopher Daniel So

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware.

  TECHNICAL DETAILS

File Size: Varies
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 05 Aug 2011
Payload: Drops files, Connects to URLs/IPs

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
WIFIServiceAP = "{malware path and file name}"

NOTES:

Installation

This malware is normally installed under the following file names:

  • %System%\wifiap.exe (other operating system versions)
  • %User Profile%\temp\wifiap.exe (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

It creates the following folders if the operating system is Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2:

  • %User Profile%\temp

It drops the following files if the operating system is Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2:

  • %User Profile%\temp\wifiap.dll
  • %User Profile%\temp\wifimon.exe

If the operating system is other than the ones mentioned above, it drops the following files instead:

  • %System%\wifiap.dll
  • %System%\wifiap.exe

The dropped files are also detected by Trend Micro as TROJ_AGENT.WEE.

Other Details

It executes the following files:

  • %System%\wifimon.exe (other operating system versions)
  • %User Profile%\temp\wifimon.exe (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

The dropped file wifimon.exe monitors the execution of the dropper file. If the dropper file terminates, it immediately executes a new copy of it.

If the dropped file wifimon.exe is executed with the command-line parameter -x, all executing copies of wifimon.exe will terminate.

It loads the dropped DLL %User Profile%\temp\wifiap.dll or %System%\wifiap.dll to execute the exported function iinit.

It executes the following file to get information about the system:

  • %System%\systeminfo.exe

The gathered system information is composed of the following:

  • Available Physical Memory
  • BIOS Version
  • Boot Device
  • Domain
  • Host Name
  • Hotfix(s)
  • Input Locale
  • Logon Server
  • NetWork Card(s)
  • Original Install Date
  • OS Build Type
  • OS Configuration
  • OS Manufacturer
  • OS Name
  • OS Version
  • Page File Location(s)
  • Processor(s)
  • Product ID
  • Registered Organization
  • Registered Owner
  • System Directory
  • System Locale
  • System Manufacturer
  • System Model
  • System type
  • System Up Time
  • Time Zone
  • Total Physical Memory
  • Virtual Memory: Available
  • Virtual Memory: In Use
  • Virtual Memory: Max Size
  • Windows Directory

The gathered system information is encrypted and saved in the following files:

  • %System%\WF-update.log (other operating system versions)
  • %User Profile%\temp\WF-update.log (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

The machine name and IP address are both encrypted and saved in the following file:

  • %System%\wifiap.rif (other operating system versions)
  • %User Profile%\temp\wifiap.rif (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

It accesses the following URL to check if it can access its server:

  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/xinit.php

It creates directories in the server by connecting to the following URL:

  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/mkdir.php?dir=/img/parts/opt/tsu
  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/mkdir.php?dir=/img/parts/opt/tsu/{computer name}-{IP address}
  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/touch.php?dir=/img/parts/opt/tsu/{computer name}-{IP address}

It then checks if the gathered system information is already uploaded by connecting to the following URL, which returns the size of the file WF-update.log in the server:

  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/fsize.php?name=/img/parts/opt/tsu/{computer name}-{IP address}/WF-update.log

If the returned file size is zero, it uploads the file %User Profile%\temp\WF-update.log or %System%\WF-update.log via HTTP POST to the following URL:

  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/inp/postit3.php

If the upload was successful, it deletes the following files:

  • %System%\WF-update.log (other operating system versions)
  • %User Profile%\temp\WF-update.log (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

It accesses the following URLs to download and execute files:

  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/srd/index.xl
  • http://www.{BLOCKED}-trv.co.jp/img/parts/opt/tsu/{computer name}-{IP address}/b/index.xl

However, as of this writing, the two URLs only return an error, and files are not downloaded.

All replies from the server www.{BLOCKED}-trv.co.jp are temporarily saved in the following file:

  • %System%\wifiap.$$$ (other operating system versions)
  • %User Profile%\temp\wifiap.$$$ (for Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2)

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 8.332.10
FIRST VSAPI PATTERN DATE: 05 Aug 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Identify and terminate files detected as TROJ_AGENT.WEE

[ Learn More ]
  1. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  2. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • WIFIServiceAP={malware path and filename}

Step 4

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • %User Profile%\temp\WF-update.log
  • %User Profile%\temp\wifiap.$
  • %User Profile%\temp\wifiap.rif
  • %System%\WF-update.log
  • %System%\wifiap.$
  • %System%\wifiap.rif

Step 5

Scan your computer with your Trend Micro product to delete files detected as TROJ_AGENT.WEE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

RECOMMENDATIONS

To actively detect and protect your machine, enable real-time scanning of your Trend Micro anti-malware product. Refer to the following Trend Micro support page to know more about enabling real-time scanning in your Trend Micro product:

Enable Firewall to protect against threats: How to enable or disable the Personal Firewall of Trend Micro EN 1038273

  • Be aware of social engineering attacks.
  • Regularly update list of sites that are trusted.
  • When a computer is compromised, isolate it immediately from the network.
  • Avoid downloading software cracks and/or pirated applications.


Did this description help? Tell us how we did.