TSPY_DERUSBI.AS
Win32/Derusbi.S (ESET)
Windows
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This spyware may arrive bundled with malware packages as a malware component.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinHelpSrv\Parameters
ServiceDll = "{malware path}"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinHelpSrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinHelpSrv\Parameters
Other Details
This spyware connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.43.96/user/atv.html
- http://www.{BLOCKED}oft-cache.com/{path}?{random numbers}&data={random letters}
NOTES:
Where {path} can be any of the following:
- money/ofcom-fines-nuisance-calls
- lifeandstyle/marmalade-paddington-sales-up-making-drinking
- world/video/shrien-dewani-arrives-uk-murder-trial-collapses-video