Trojan.Stranget.B

Printer Friendly Page

Discovered: March 27, 2006
Updated: March 27, 2006 6:02:47 AM
Also Known As: Keylogger.Stranget.B [Symantec]
Systems Affected: Windows
CVE References: CVE-2006-1359

Trojan.Stranget.B is a Trojan horse that logs keystrokes, steals passwords and system information, and sends it to a remote attacker. It also downloads files and opens an FTP server by exploiting the Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (as described in BID 17196).

Antivirus Protection Dates

  • Initial Rapid Release version March 27, 2006
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version March 27, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date March 29, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Kaoru Hayashi

Discovered: March 27, 2006
Updated: March 27, 2006 6:02:47 AM
Also Known As: Keylogger.Stranget.B [Symantec]
Systems Affected: Windows
CVE References: CVE-2006-1359



Renamed from Keylogger.Stranget.B to Trojan.Stranget.B

Trojan.Stranget.B is a Trojan horse that logs keystrokes, steals passwords and system information, and sends it to a remote attacker. It also downloads files and opens an FTP server by exploiting the Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (as described in BID 17196).

It is reported that the Trojan horse is downloaded by another threat, Download.Fullalc from the following Web site:
www.fullfatskinny.com

When the Trojan is executed, it creates the following copy of itself:
%Windir%\fyt\nm32.exe

The Trojan then creates the following registry entry so that it runs everytime Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ujm" = "%Windir%\fyt\nm32.exe"

It also creates the following registry entries as a mark of infection:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"InstallDate" = "[DATE THE TROJAN WAS RUN]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"InstallPath" = "[PATH FROM WHICH TROJAN WAS RUN]"

The Trojan also sets the following registry value, which stores the date and time it last downloaded an update:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"InfoDate" = "[DATE]"

Then, the Trojan creates and loads the following file, which contains its keylogging functionality:
%Windir%\fyt\mn32.dll

It is reported that the Trojan registers this .dll file as a Browser Helper Object by creating registry entries under the following subkeys:
HKEY_CLASSES_ROOT\AppID\{85B17391-3706-4454-B73F-38D6E74B0480}
HKEY_CLASSES_ROOT\AppID\FG.DLL
HKEY_CLASSES_ROOT\CLSID\{B4B1D862-DD79-47E6-B29B-2AD5A9A5D885}
HKEY_CLASSES_ROOT\CLSID\{FBFD2ED1-14EA-4D3A-B88E-DADF7C058766}
HKEY_CLASSES_ROOT\FG.FGHelper
HKEY_CLASSES_ROOT\FG.FGHelper.1
HKEY_CLASSES_ROOT\FG.SubHelper
HKEY_CLASSES_ROOT\FG.SubHelper.1

The Trojan monitors URLs visited in browsers, and watches for the following strings encrypted in its body:
online
mail
ftp
web
acce
enter
login
pass
private
admin
magane
lead
mortg
corpora
panel
base
data
network
sql
terminal
connec
send

The Trojan stores logged keystrokes in the file %Windir%\fyt\kbd.txt.

The Trojan exploits the Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (as described in BID 17196).

The Trojan logs URLs visited with the corresponding request strings in the file %Windir%\fyt\req.txt.
The Trojan also downloads a file from a URL stored in its body, saves the file as %Windir%\fyt\~url.exe, and runs the file. The sample we received does not contain a URL, but may change as the Trojan is extensible.

The Trojan then creates the file %Windir%\fyt\~tmp636, in which stores the following information gathered from the compromised computer:
Passwords gathered from Protected Storage
Cached passwords
Password hashes gathered from the SAM database
RAS phonebook entries

The Trojan then gathers system information by running shell commands, and saving the output in files.

Next, the Trojan creates the file %Windir%\fyt\~view636, in which it stores the output of the command netstat -a -n.

The Trojan creates the file %Windir%\fyt\~start636, in which it stores the output of the command netstat -a -n.

The Trojan creates the file %Windir%\fyt\~ipcfg636, in which it stores the output of the command ipconfig /all.

The Trojan then copies the contents of the files ~view636, ~start636, ~ipcfg636, ~tmp636 into the file %Windir%\fyt\~res636.

The Trojan then attempts to send the file ~res636 to the remote attacker through email and FTP. The sample received contains a blank email address to send to, and it is reported that the Trojan contains its own SMTP engine to send information to an address in the mail.ru domain.

The Trojan uploads the file via FTP to the domain www.projecx.net.

The Trojan also sends the following files to the attacker via the above methods:
%Windir%\fyt\kbd.txt
%Windir%\fyt\req.txt

The Trojan then ends the following processes, some of which are security related:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
F-STOPW.EXE
FRW.EXE
FP-WIN.EXE
F-PROT95.EXE
F-PROT.EXE
FPROT.EXE
FINDVIRU.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

The Trojan also downloads updates to itself at regular intervals. The sample received contains a blank IP or domain from which updates are downloaded.

The Trojan is extensible, and contains in its body some settings that dictate its behavior, and that the attacker may change in updates. The settings include the following:
Email address to which it sends files (The sample analyzed did not contain any.)
FTP server domain, IP, username, and password used to upload files (Some domains found in the sample analyzed that may have been used in the past are, Inf-x.org, 66.98.132.67, and www.projecx.net.)
A list of strings to monitor
A URL that the Trojan will use to download and run a file
The port number it uses to start an FTP server
IP address used to download its updates



Writeup By: Kaoru Hayashi