TSPY_URSNIF.HSNPS

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

It connects to certain websites to send and receive information.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

• %System%\{8 character string}.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops and executes the following files:

• %User Temp%\{random filename}.bat ← used to execute copy and delete itself

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\{GUID}

It injects codes into the following process(es):

• explorer.exe
• chrome.exe
• iexplore.exe
• firefox.exe

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{8 character string} = "%System%\{8 character string}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Vars

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Files

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{Value Name} = "{hex value}"

where {Value Name} may any of the following:
• Block
• Install
• Client
• {GUID}

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Dropping Routine

This spyware drops the following file(s), into which it saves gathered information:

• %User Temp%\{random filename}.tmp

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}ts.net/otz/zero.sig

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe <- will be renamed to %User Temp%\{random filename}.tmp after execution

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

Information Theft

This spyware gathers the following data:

• Computer Name
• Digital Certificates
• Cookies
• Keyboard Logs
• Clipboard Logs
• Captured Screenshot
• Email Credentials
• Running processes and services
• Installed device drivers
• Installed Programs
• System Information (Please see notes for more details)

Other Details

This spyware connects to the following website to send and receive information:

• http://{domain}/{r/g/q}{random}.php?{random}={b64 encoded data}
  where {domain} can be any of the following:
  • {BLOCKED}s.net
  • {BLOCKED}s.ru

It does the following:

• Save stolen information in a file and then upload it
• Monitor Internet browsing activities and steals crendentials and/or money from users when accessing targeted banks and/or financial institution depending on the web inject configuration received
• Hook APIs of target process
• Disable SPDY protocol in Mozilla Firefox
• Executes commands to gather information:
  • systeminfo.exe
  • tasklist.exe /SVC
  • driverquery.exe
  • reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
• Uninstall itself
• Tries to open and read the the following missing component files:
  • C:\00x0000.142.txt
• It terminates itself if it runs under a virtual machine or sandbox by checking the following strings against Plug and Play devices:
  
  • vbox
  • qemu
  • vmware
  • virtual hd
  
  

NOTES:

The variable {8 character string}is a combination of first four characters of the file name of a .DLL file and last four characters of another .DLL file in the Windows system folder.

The file systeminfo.exe returns the following system information:

• Host Name
• OS Name, Version, Manufacturer, Configuration and Build Type
• Registered Owner and Organization
• Product ID
• Original Install Date
• System Up Time
• System Manufacturer, Model and type
• Processor(s)
• BIOS version
• Windows and System directory
• Boot Device
• System and Input Locale
• Time Zone
• Total and Available Memory
• Virtual Memory information (Max, Available, In Use)
• Page file locations
• Domain
• Logon server
• Hotfix(es)
• Network card(s)