When the Trojan is executed, it copies itself as the following file:
%System%\[NAME OF AN EXISTING DLL]32.exe
It then drops the following files:
- %System%\[NAME OF AN EXISTING DLL]32.exe (W32.Mozipowp)
- %System%\[NAME OF AN EXISTING DLL]32.dll
- %UserProfile%\Application Data\SysWin\lsass.exe (W32.Mozipowp)
The Trojan then creates the following registry entries to register itself as a COM object:
- HKEY_CLASSES_ROOT\CLSID\{1811DBA0-25C3-4AF2-8504-31D35384D8Ec}\InprocServer32\"(Default)" = "%System%\[NAME OF AN EXISTING DLL]32.dll"
- HKEY_CLASSES_ROOT\CLSID\{1811DBA0-25C3-4AF2-8504-31D35384D8Ec}\InprocServer32\"ThreadingModel" = "Both"
- HKEY_CLASSES_ROOT\[RANDOM LETTERS]\CLSID\"(Default)" = "{c4c7969f-a03b-4f27-822b-0c2e90a111f6}"
If Firefox is installed on the computer, the threat installs itself as a Firefox extension by replacing the following files:
- %UserProfile%\Application Data\Mozilla\Firefox\Profiles\install.rdf
- %UserProfile%\Application Data\Mozilla\Firefox\Profiles\chrome\xulcache.jar
- %UserProfile%\Application Data\Mozilla\Firefox\Profiles\chrome\chrome.manifest
If Chrome is installed on the system, the threat installs itself as a chrome extension by replacing the following files:
- %UserProfile%\Application Data\Google\Chrome\User Data\Default\[RANDOM LETTERS]\contentscript.js
- %UserProfile%\Application Data\Google\Chrome\User Data\Default\[RANDOM LETTERS]\manifest.json
By installing itself as extensions in the above Web browsers, it can redirect traffic when the user tries to visit a website with a URL that contains one of the following strings:
Traffic will be redirected to the following URL:
http://74.50.117.107/js/showpics.php
It will also record the information when the user visits websites that URL contain any of the following strings:
- search.aol.com
- search.yahoo.com
- search.netscape.com
- bing.com
- search.lycos.com
- altavista.com
- alltheweb.com
- gigablast.com
- hotbot.com
- snap.com
- ask.com
- youtube.com/results
The Trojan then opens a back door on the compromised computer by attempting to connect to a server and then waits for commands. The remote attacker can perform the following actions on the compromised computer:
- Download and execute remote files
- Control the web browser redirection parameters
- Steal information
It then creates the following registry entries to register itself as a system service:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\"DisplayName" = "Print Spooler "
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\"ErrorControl" = "0"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\"ImagePath" = "%System%\[NAME OF AN EXISTING DLL]32.exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\"ObjectName" = "LocalSystem"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\"Start" = "2"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\"Type" = "16"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler32\Security\"Security" = "[BINARY DATA]"
The service has the following characteristics:
Startup Type: Automatic
Image Path: %System%\[NAME OF AN EXISTING DLL]32.exe
Display Name: Print Spooler
The threat creates the following registry entries to register itself as a legacy driver service:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\"NextInstance" = "1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\0000\"Class" = "LegacyDriver"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\0000\"ConfigFlags" = "0"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\0000\"DeviceDesc" = "Print Spooler "
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\0000\"Legacy" = "1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER32\0000\"Service" = "Spooler32"
Next, the threat creates the following registry entries to bypass the Windows firewall:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%System%\[NAME OF AN EXISTING DLL]32.exe" = "%System%\[NAME OF AN EXISTING DLL]32.exe:*:Enabled:Windows Update Service"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\[NAME OF AN EXISTING DLL]32.exe" = "%System%\[NAME OF AN EXISTING DLL]32.exe:*:Enabled:Windows Update Service"
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
