TSPY_THOPER.AD

This spyware may be dropped by other malware.

It does not have any propagation routine.

It does not have any backdoor routine.

It modifies the Internet Explorer Zone Settings.

It does not have any downloading capability.

It steals email account information.

It opens a hidden Internet Explorer window. It deletes the initially executed copy of itself.

Arrival Details

This spyware may be dropped by other malware.

Installation

This spyware drops the following copies of itself into the affected system:

• %System%\msimegub.bpl

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Le12xv10

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\stisvc
Start = "2"

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\stisvc\Parameters
ServiceDll = "%System%\msimegub.bpl"

(Note: The default value data of the said registry entry is %SystemRoot%\system32\wiaservc.dll.)

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{BC87739C-6024-412c-B489-B951C2F17000}
ImagePath = "\??\%System%\Drivers\{BC87739C-6024-412c-B489-B951C2F17000}.sys"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{BC87739C-6024-412c-B489-B951C2F17000}

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Dropping Routine

This spyware drops the following files:

• %System%\drivers\{BC87739C-6024-412C-B489-B951C2F17000}.SYS - detected by Trend Micro as TROJ_NETHOOK.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Download Routine

This spyware does not have any downloading capability.

Information Theft

This spyware steals email account information.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://feidc.{BLOCKED}ed.net:443/photos/photo.asp
• http://feidc.{BLOCKED}ed.net:443/Query.asp?loginid=112037

Other Details

This spyware opens a hidden Internet Explorer window.

It deletes the initially executed copy of itself

NOTES:

This spyware does not have rootkit capabilities.

This spyware does not exploit any vulnerability.