Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This spyware hooks an API to evade detection. It gathers the browser cookies of the affected system. As a result, user credentials used may be stolen by the remote attacker.

It also has certain capabilities. It does not perform its routines if a specific registry key exists.

This spyware may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It opens a hidden instance of Internet Explorer to send stolen information to a certain site.

  TECHNICAL DETAILS

File Size: Varies
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 22 Sep 2011
Payload: Opens Internet Explorer window

Arrival Details

This spyware may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This spyware drops the following files:

  • %User Temp%\{random characters}.exe - TROJ_RAMNIT.SMUT

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %User Startup%\{random characters}.exe
  • %Program Files%\{random characters}\{random characters}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It creates the following folders:

  • %Program Files%\{random characters}

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It injects codes into the following process(es):

  • Default Internet browser

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %Program Files%\{random characters}\{random characters}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This spyware deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

Dropping Routine

This spyware drops the following files wherein it saves the information it gathers:

  • %Application Data%\{random characters}.log

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Information Theft

This spyware opens a hidden instance of Internet Explorer to send stolen information to the following site:

  • {BLOCKED}423dsarr.com
  • {BLOCKED}997664632974df.com

NOTES:

It hooks the following API to evade detection:

  • Ntdll!ZwWriteVirtualMemory

This spyware gathers the browser cookies of the affected system. As a result, user credentials used may be stolen by the remote attacker.

This spyware also has the capabilities:

  • Download other files
  • Update itself

It does not perform its routines if the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\
WASAntidot

  SOLUTION

Minimum Scan Engine: 9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by TROJ_ROOTER.DRL

     
    • TROJ_RAMNIT.SMUT

Step 3

Identify and delete files detected as TROJ_ROOTER.DRL using either the Startup Disk or Recovery Console

[ Learn More ]

Step 4

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: Userinit = %System%\userinit.exe, %Program Files%\{random characters}\{random characters}.exe
      To: Userinit = %System%\userinit.exe,

Step 5

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Program Files%\{malware path}

Step 6

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • %Application Data%\{random characters}.log

Step 7

Scan your computer with your Trend Micro product to delete files detected as TROJ_ROOTER.DRL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

To Restore Safe Boot Registry Settings:

  1. Open Notepad. To do this, click Start>Run, type Notepad in the text box provided, then press Enter.
  2. Copy and paste the following script:

    For Windows 2000:


    For Windows XP:


    For Windows 2003:
  3. Save this file as C:\RESTORE.REG..
  4. Click Start>Run again, type C:\RESTORE.REG in the text box provided, then press Enter.
  5. Click Yes at the prompt of the message box to execute the .REG file.


Did this description help? Tell us how we did.

Related Malware