Malware Trojan.Win32.Jorik.Carberp.hb

Posted: September 2, 2012 in Encyclopedia viruses
Tags: , , ,

Virus AlertTrojan.Win32.Jorik.Carberp.hb – Spyware is designed to steal confidential user data.

Technical details

Spyware is designed to steal confidential user data. It is a Windows (PE-EXE file). Has a size of 233,867 bytes. Packed with an unknown packer. Unpacked size – about 242 KB. Written in C + +.

Installation

After you activate the Trojan takes interceptors installed in System Service Descriptor Table (SSDT).

Further copies its body to the startup folder of the current user Windows:

% Documents and Settings% \% Current User% \ Start Menu \ Programs \ Startup \ igfxtray.exe

Thus, a copy of the Trojan is launched automatically each time the system.

The time and date of the file is set to the file:

% System% \ smss.exe

To hide their executable file, the Trojan intercepts the function:

NtQueryDirectoryFile

Destructive activity

Trojan starts up the file:

% WinDir% \ explorer.exe

and puts into its address space with malicious code. If you inject malicious code could not be looking for a window with class name “Shell_TrayWnd” (this window class corresponds to the process “explorer.exe”) or get a list of all processes and compares the hash process names with heshom process “explorer.exe”, spelled out in the body of the Trojan .

This code, in turn, runs multiple instances of “svchost.exe”, introducing into the address space of the malicious code implements the functionality described below. The original Trojan file is deleted.

For the introduction of malicious code into the address space of running processes in the system hooks the following function:

NtResumeThread

Trojan holds the handle to open the executable file:

% Documents and Settings% \% Current User% \ Start Menu \ Programs \ Startup \ igfxtray.exe

from the process “svchost.exe”, which was injected with malicious code. This Trojan connects to the following malicious server manager:

wwwii.ru

To counter the anti-virus products and botnets competitors Trojan downloads from the server the following plugins:

wwwii.ru / cfg / stopav.psd wwwii.ru / cfg / miniav.psd

Loaded plugins are stored under the following names:

% Documents and Settings% \% Current User% \% ApplicationData% \ igfxtray.dat% Documents and Settings% \% Current User% \% ApplicationData% \ igfxtrayhp.dat

Also from the management server to download additional files:

wwwii.ru / get / key.html wwwii.ru / <rnd1>. <rnd2>

where <rnd1> – random sequence of letters, such as “qlfuhdisozhblucrrm” or “yojxmoixqogbprreocmbv”. <rnd2> – one of the following extensions:

. Phtml. Php3. Phtm. Inc .7 z. Cgi. Pl. Doc. Rtf. Tpl. Rar

Downloaded files are saved under the name “fi.dat”:

% Documents and Settings% \% Current User% \% ApplicationData% \ KYL \ fi.dat

At the time of writing, additional modules are not loaded. By using malicious code embedded in the address space of the process of copies “svchost.exe” Trojan can perform the following malicious payload:

– Update your original file;

– Intercept all outgoing traffic to steal confidential user data, setting the system hooks the following functions:

InternetCloseHandle InternetQueryDataAvailable InternetReadFile InternetReadFileExA InternetReadFileExW HttpSendRequestA HttpSendRequestW HttpSendRequestExA HttpSendRequestExW

– To collect information about the infected system:
the user and the computer;

– Full information about the installed processor;

– Profile of equipment;

– Version of the OS;

– Serial number of the volume of the system drive;

– IP address;

– The physical address;

– Steal cookies from your browser:

Microsoft Internet Explorer Opera Firefox

– Steal confidential user data if the resource you are working with the following lines:

* Bsi.dll ** paypal.com ** ibc *

– Screen captures, while using internet banking, using its own internal library. You prepare compressed image format “JPEG” and stored in the temporary directory of the current user’s Windows temporary file name:

% Temp% \ <tmp>. Tmp

where <tmp>-random alphanumeric sequence. After which the file is saved as “screen.jpeg”:

% Temp% \ screen.jpeg

– Keep a log of keystrokes;

– Steals data from a payment system Cyberplat;

– Steals user details from Internet banking, trading platforms and RBS (Remote Banking):

Raiffeisenbank Faktura iBank PSB BSS cyberplat BlackwoodPRO FinamDirect GrayBox MbtPRO Laser LightSpeed ​​LTGroup Mbt ScotTrader SaxoTrader

– Also steals data set consisting of the following key files:

self.cer secrets.key cert.pfx sign.cer prv_key.pfx

– Stolen information is stored in the file:

% Temp% \ <tmp>. Tmp

where <tmp>-random alphanumeric sequence. then written to the file:

% Temp% \ Information.txt

– The log has the following format:

Program: <program_name> Wnd Name: <imya_aktivnogo_okna> Server: <address>: <port> Password: <password> Certificate: <certificate> ClipBuffer: <история_вводимых_пользователем_символов>

Using the functions of the library “cabinet.dll”, the Trojan creates a cab-file, named

% Temp% \ CAB <tmp>. Tmp

where <tmp>-random alphanumeric sequence. which saves files with stolen data. The Trojan then encrypts the file and sends it to an attacker’s server. After sending the data file is deleted.

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Restart the computer in “safe mode” (in the beginning of the boot, press and hold down the “F8”, then select “Safe Mode” from the boot menu Windows).

Delete files:

Documents and Settings% \% Current User% \ Start Menu \ Programs \ Startup \ igfxtray.exe% Documents and Settings% \% Current User% \% ApplicationData% \ igfxtray.dat% Documents and Settings% \% Current User% \% ApplicationData% \ igfxtrayhp.dat% Documents and Settings% \% Current User% \% ApplicationData% \ KYL \ fi.dat

Clear the directory Temporary Internet Files, which may contain infected files.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s