1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Derusbi Activity

System Infected: Infostealer.Derusbi Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic related to Infostealer.Derusbi

Additional Information

When the Trojan is executed, it creates the following copies of itself:

%System%\msimeasg.bpl
%System%\msimecty.bpl
%System%\msimenpo.bpl



It may then drop and execute the following file to provide rootkit functionality:
%System%\drivers\{BC87739C-6024-412c-B489-B951C2F17000}.sys (Hacktool.Rootkit)

It also creates the following file which is used to store the time of infection:
%Windir%\Temp\~DFTMP$$$$$$.1

The Trojan then creates the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc\Parameters\"ServiceDll" = "%Systemroot%\System32\msimeasg.bpl"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc\Parameters\"ServiceDll" = "%Systemroot%\System32\msimecty.bpl"



It may also create the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{BC87739C-6024-412c-B489-B951C2F17000}

It modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\"netsvcs stisvc"

Next, the Trojan attempts to connect to the following URLs:

[DOMAIN]/photos/photo.asp
[DOMAIN]/Query.asp?loginid=[AFFILIATE ID]
[DOMAIN]/Catelog/login1.asp



Where [DOMAIN] may be one of the following:

three.911223.com
proxy.smw.mhi.co.jp
three.812341.com
kb.xxuz.com
ibm2.mail-signin.com
lingdnsx.freecapperor.com



It then attempts to unregister services that are related to the following files. This may disrupt the functions of certain security programs:

mcshield.exe
vstskmgr.exe



The Trojan may then steal login credentials for the following applications:

Microsoft Outlook
Internet Explorer
MSN Messenger



It may also open a back door using a command shell.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube