Analysis by: Vincent Martin Hermosura
ALIASES:

Trojan.Win32.Buzus.uigo (Kaspersky), Trojan-Spy.Agent (Ikarus), a variant of Win32/Injector.BLMU trojan (Esset)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 224,503 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 08 Sep 2014

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

  • %Application Data%\{random characters 1}\{random characters 2}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • %AppDataLocal%\Identities
  • %Application Data%\Microsoft\Address Book
  • %Application Data%\{random characters 1}
  • %Application Data%\{random characters 4}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random CLSID} = "%Application Data%\{random characters 1}\{random characters 2}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere

HKEY_CURRENT_USER\Software\Microsoft\
WAB

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanCookies = "dword:00000000"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
@ = "%Application Data%\Microsoft\Address Book\{user name}.wab"

It modifies the following registry entries:

HKEY_CURRENT_USER\Identities
Identity Ordinal = "dword:00000002"

(Note: The default value data of the said registry entry is dword:00000001.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\0
1609 = "dword:00000000"

(Note: The default value data of the said registry entry is dword:00000001.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1406 = "dword:00000000"

(Note: The default value data of the said registry entry is dword:00000001.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
"dword:00000000" = dword:00000001

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
1609 = "dword:00000000"

(Note: The default value data of the said registry entry is dword:00000001.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1406 = "dword:00000000"

(Note: The default value data of the said registry entry is dword:00000003.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1609 = dword:00000000

(Note: The default value data of the said registry entry is dword:00000001.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
1406 = "dword:00000000"

(Note: The default value data of the said registry entry is dword:00000003.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
1609 = dword:00000000

(Note: The default value data of the said registry entry is dword:00000001.)

Other Details

This spyware drops the following file(s)/component(s):

  • %Application Data%\Microsoft\Address Book\{user name}.wab
  • %Application Data%\Microsoft\Address Book\{user name}.wab~
  • %User Temp%\{random characters 3}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)