Analysis by: Anthony Joe Melgarejo

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It bypasses the Windows firewall. This allows the malware to perform its intended routine without being detected by an installed firewall.

It retrieves specific information from the affected system.

  TECHNICAL DETAILS

File Size: 2,861,852 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 22 May 2014
Payload: Connects to URLs/IPs

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

  • %System Root%\users\public\Public Document\aagj.bat - executes %All Users Profile%\Msn\Msn2\mdej.exe and cogj.reg
  • %System Root%\users\public\Public Document\abc.klm - FTP upload configuration
  • %System Root%\users\public\Public Document\stap.vbs - runs decj.bat
  • %System Root%\users\public\Public Document\decj.bat - initialize main routine (see notes for details)
  • %System Root%\users\public\Public Document\bar.zip - archive file (see notes for contents)
  • %System Root%\users\public\Public Document\cogj.reg - registry editor file
  • %System Root%\users\public\Public Document\iej.bat - runs dj.vbs
  • %System Root%\users\public\Public Document\dj.vbs - runs iewj.bat
  • %System Root%\users\public\Public Document\iewj.bat - detected as BAT_PASSTEAL.TY
  • %System Root%\users\public\Public Document\saj.vbs - runs icj.bat
  • %System Root%\users\public\Public Document\icj.bat - detected as BAT_PASSTEAL.TY
  • %System Root%\users\public\Public Document\image.exe - detected as HKTL_SXPASSDUMP
  • %System Root%\users\public\Public Document\images.exe - detected as HKTL_SXPASSDUMP
  • %System Root%\users\public\Public Document\picture viewer.exe - detected as HKTL_SXPASSDUMP
  • %All Users Profile%\Msn\Msn2\aagj.bat - used to execute %All Users Profile%\Msn\Msn2\mdej.exe and cogj.reg
  • %All Users Profile%\Msn\Msn2\abc.klm - FTP upload configuration
  • %All Users Profile%\Msn\Msn2\stap.vbs - runs decj.bat
  • %All Users Profile%\Msn\Msn2\decj.bat - initialize main routine (see notes for details)
  • %All Users Profile%\Msn\Msn2\bar.zip - archive file (see notes for contents)
  • %All Users Profile%\Msn\Msn2\cogj.reg - registry editor file
  • %All Users Profile%\Msn\Msn2\iej.bat - runs dj.vbs
  • %All Users Profile%\Msn\Msn2\dj.vbs - runs iewj.bat
  • %All Users Profile%\Msn\Msn2\iewj.bat - detected as BAT_PASSTEAL.TY
  • %All Users Profile%\Msn\Msn2\saj.vbs - runs icj.bat
  • %All Users Profile%\Msn\Msn2\icj.bat - detected as BAT_PASSTEAL.TY
  • %All Users Profile%\Msn\Msn2\image.exe - detected as HKTL_SXPASSDUMP
  • %All Users Profile%\Msn\Msn2\images.exe - detected as HKTL_SXPASSDUMP
  • %All Users Profile%\Msn\Msn2\picture viewer.exe - detected as HKTL_SXPASSDUMP

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It drops the following non-malicious files:

  • %System Root%\users\public\Public Document\crp.exe - Command Line File Crypter tool
  • %System Root%\users\public\Public Document\mdej.exe - Keep Running tool
  • %System Root%\users\public\Public Document\keeprun.ini - Keep Running tool config file
  • %System Root%\users\public\Public Document\unzip.exe - unzip tool
  • %All Users Profile%\Msn\Msn2\crp.exe - Command Line File Crypter tool
  • %All Users Profile%\Msn\Msn2\mdej.exe - Keep Running tool
  • %All Users Profile%\Msn\Msn2\keeprun.ini - Keep Running tool config file
  • %All Users Profile%\Msn\Msn2\unzip.exe - unzip tool

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It creates the following folders:

  • %System Root%\users\public\Public Document
  • %All Users Profile%\Msn
  • %All Users Profile%\Msn\Msn2

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
stat = "%All Users Profile%\Msn\Msn2\aagj.bat"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
stat7 = "%System Root%\Users\Public\Public Document\mdej.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
stat2 = "%All Users Profile%\Msn\Msn2\aagj.bat"

Other System Modifications

This spyware modifies the following registry entries to disable the Windows Firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is 1.)

Information Theft

This spyware retrieves the following information from the affected system:

  • Email Passwords
  • Stored IE Passwords
  • Web Browser Passwords

Stolen Information

This spyware saves the stolen information in the following file:

  • %System Root%\users\public\Public Document\001-{date-yyyyddmm}_{time}.033 - retrieved Email passwords
  • %System Root%\users\public\Public Document\001-{date-yyyyddmm}_{time}.034 - retrieved IE passwords
  • %System Root%\users\public\Public Document\001-{date-yyyyddmm}_{time}.035 - retrieved web browser passwords

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Drop Points

This spyware uploads files to the following File Transfer Protocol (FTP) sites:

  • ftp.{BLOCKED}h.com
  • sherrif.{BLOCKED}3.com

Other Details

This spyware opens the following files:

  • %All Users Profile%\Msn\Msn2\pic.pdf - decoy PDF file
  • %System Root%\users\public\Public Document\pic.pdf - decoy PDF file

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

NOTES:

The file DECJ.BAT contains and initializes the following routines:

  • Opens decoy file
  • Terminates mdej.exe
  • Decrypt unzip.exe and bar.zip
  • Unzip bar.zip
  • Execute saj.vbs

The following are the contents of the file BAR.ZIP:

  • aagj.bat
  • cogj.reg
  • dj.vbs
  • icj.bat
  • iej.bat
  • iewj.bat
  • image.abc*
  • images.abc*
  • keeprun.ini
  • mdej.abc*
  • picture viewer.abc
  • saj.vbs

Some of the files mentioned in the list above have their file extensions replaced by .exe upon execution.

  SOLUTION

Minimum Scan Engine: 9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove malware/grayware files dropped/downloaded by TSPY_PASSTEAL.TY. (Note: Please skip this step if the threats listed below have already been removed.)

    • BAT_PASSTEAL.TY
    • HKTL_SXPASSDUMP

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • stat = "%All Users Profile%\Msn\Msn2\aagj.bat"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • stat7 = "%System Root%\Users\Public\Public Document\mdej.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • stat2 = "%All Users Profile%\Msn\Msn2\aagj.bat"

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • From: EnableFirewall = "0"
      To: EnableFirewall = 1

Step 6

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %System Root%\users\public\Public Document
  • %All Users Profile%\Msn

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_PASSTEAL.TY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.