TSPY_NIVDORT.SM

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• %System%\{random filename 1}.exe
• %System%\{random filename 2}.exe
• %User Temp%\{random filename 3}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Autostart Technique

This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Protocol Peer Hardware Audio Connection
ImagePath = "%System%\{random filename 1}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Protocol Peer Hardware Audio Connection
DisplayName = "Protocol Peer Hardware Audio Connection"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
List IP Authentication Enumerator Spooler = "%System%\{random filename 1}.exe"

Other System Modifications

This spyware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

(Note: The default value data of the said registry entry is "0".)

Process Termination

This spyware terminates the following processes if found running in the affected system's memory:

• jhprotominer.exe
• jhprotominer64.exe
• jhminer32.exe
• jhgeneric_256.exe
• jhcore2_256.exe
• jhcorei7_256.exe
• jhavx_256.exe
• jhbarcelona_256.exe
• jhbulldozerv1_256.exe
• jhbobcatv2_256.exe
• jhcore2_512.exe
• jhcorei7_512.exe
• jhavx_512.exe
• jhavx2_512.exe
• jhbarcelona_512.exe
• jhbulldozerv1_512.exe

Download Routine

This spyware connects to the following malicious URLs:

• http://{hostname}/forum/search.php?method=validate&mode=my&email={BLOCKED}u.{BLOCKED}ntinescu@{BLOCKED}software.ro&lici=&ver={value}
• http://{hostname}.{extension}/forum/search.php?method={action}&mode=sox&v={version}&sox={value}
  • where:
    • {hostname} is generated by concatenating two strings from the harcoded list.
    • {extension} can be any of the following:
      • com
      • net
• http://{hostname}/forum/search.php?method={action}&mode=sox&v={version}&sox={value}&lport={value}&rsid={soxy ID or NOSOXYID123 if no soxy ID}&slots={value}&spm={value}&adm={0 if not admin or 1 if admin)&x64={0 if 32bit or 1 if 64bit}&mr={value}

As of this writing, the said sites are inaccessible.

Other Details

This spyware drops the following file(s)/component(s):

• %Temp%\{random filename 4}.exe - deleted afterwards
• %System%\{random folder 1}\cfg - encrypted
• %System%\{random folder 1}\etc - encrypted
• %System%\{random folder 1}\lck - encrypted
• %System%\{random folder 1}\rng - encrypted
• %System%\{random folder 1}\run - encrypted
• %System%\{random folder 1}\tst - encrypted
• %System%\{random folder 1}\por - encrypted

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

NOTES:

It modifies the hosts file.

The {hostname} is generated through concatenating two strings on the following lists:

• milk
• with
• arive
• upon
• quick
• sunday
• equal
• spoke
• tried
• duty
• south
• which
• then
• most
• group
• visit
• these
• case
• spot
• glad
• meat
• cloud
• watch
• dream
• sight
• head
• salt
• taken
• sick
• dark
• fair
• this
• know
• pick
• human
• yard
• hill
• felt
• hang
• join
• able
• song
• hair
• music
• whom
• look
• september
• wish
• room
• move
• went
• front
• three
• drink
• dead
• wrong
• sign
• jump
• spend
• offer
• lord
• wife
• rock
• made
• sorry
• their
• long
• wheel
• point
• none
• mouth
• shall
• fifty
• likr
• soil
• said
• call
• liar
• till
• deep
• fear
• table
• stick
• enemy
• well
• ring
• push
• along
• west
• lead
• ball
• life
• nose
• favor
• friday
• december
• tries
• lrstn
• field
• both
• tore
• week
• story
• after
• your
• view
• queen
• gain
• fall
• very
• weak
• force
• plant
• sense
• least
• month
• piece
• wait
• sell
• drive
• fill
• learn
• face
• walk
• much
• take
• wednesday
• nail
• stood
• shoe
• first
• moon
• ride
• lift
• ought
• sound
• taste
• show
• allow
• rule
• them
• happy
• considerable
• since
• wash
• sleep
• talk
• held
• fruit
• than
• noise
• mile
• sure
• hello
• shot
• live
• threw
• saturday
• shade
• loud
• kill
• october
• guess
• outer
• small
• green
• marry
• hand
• earth
• hunt
• gives
• hear
• best
• heat
• easy
• page
• below
• height
• shirt
• rain
• rise
• read
• pull
• king
• cause
• mine
• back
• serve
• cross
• thousand
• floor
• tree
• cloth
• dare
• august
• body
• blood
• about
• lose
• into
• price
• feel
• raise
• color
• hold
• never
• ocean
• start
• grow
• wild
• thank
• began
• step
• feet
• grown
• yesterday
• pure
• boat
• dish
• rest
• form
• gray
• touch
• army
• paid
• dance
• born
• tell
• daily
• child
• full
• place
• croud
• high
• reach
• only
• second
• nine
• have
• sing
• tear
• june
• city
• kind
• plain
• each
• black
• wedge
• march
• press
• july
• open
• agree
• april
• word
• edge
• weight
• under
• come
• feed
• goes
• voice
• light
• eight
• iron
• world
• roll
• octover
• road
• aunt
• wore
• great
• slept
• house
• prove
• tuesday
• usual
• stock
• teach
• reply
• fine
• home
• else
• grain
• state
• cold
• mark
• bone
• took
• monday
• nerve
• lend
• fool
• five
• gone
• they
• build
• enjoy
• deal
• horse
• mail
• scene
• where
• dont
• hers
• gift
• break
• peace
• could
• throw
• grave
• whole
• nice
• over
• important
• gold
• broke
• wrote
• news
• fire
• neck
• half
• food
• guide
• there
• tall
• stone
• next
• some
• wing
• today
• lady
• lower
• again
• wide
• sugar
• compe
• told
• fell
• wear
• hard
• uncle
• make
• loss
• hope
• slow
• thirteen
• help
• fifth
• free
• done
• other
• shown
• name
• meet
• late
• arms
• cook
• side
• been
• seven
• past
• such
• fish
• tomorrow
• pass
• kiss
• stand
• hour
• find
• count
• hurt
• clock
• study
• rush
• once
• left
• february
• hurry
• november
• shine
• forty
• knew
• wall

It checks if there is a running service/s with the string firewall.