Overview
This is a Trojan which installs a Layered Service Provider on the host system, possibly for the purpose of stealing online game account information.
|
Minimum DAT
4987 (2007-03-19) Updated DAT4987 (2007-03-19) |
Minimum Engine
5.1.00 File LengthVaries |
Description Added
2007-03-19 Description Modified2007-03-19 |
Malware Proliferation
Characteristics
This Trojan installs a Layered Service Provider (LSP) onto the host system. LSPs can have extensive access to view and/or modify data passing through the system's network protocol stacks. In this case, instead of appending itself as an element to the LSP stack, the malware takes the positions of the standard Windows rsvpsp.dll and mswsock.dll, taking over many functions. Though no additional network connections were observed during testing, analysis of the files suggest possible password stealing functionality is included, specifically centered around several popular online computer games. If this is true, it is likely the LSP would intercept and transmit game account and password information when one of the targeted games was run on the system.
The delicate nature of the LSP stack, and particularly cases like this where an existing system component is replaced, present special repair considerations. Please see directions for necessary additional manual procedures required in the Removal section.
System Changes
%SystemDir% = \WINDOWS\SYSTEM32 (Windows XP), \WINNT\SYSTEM32 (Windows NT/2000)
Files Added (names may vary)
- Dropper/Installer: ucx.exe (18 KB, MD5: 2BD1D3C42EFC95CD5CEC4A7829E5EF9C)
- %SystemDir%\ucx.exe (18 KB, MD5: 2BD1D3C42EFC95CD5CEC4A7829E5EF9C)
- %SystemDir%\rundlll.dll (102 KB, MD5: 7A3CF9893E1169AB37AEEF6DE10DC1EB)
Registry
The following registry keys are created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"remotecontrol"="C:\WINDOWS\system32\UCX.EXE" (data may vary) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\XSTUDIO_TCPIPDOG
"1001"="%SystemRoot%\system32\mswsock.dll" (data may vary)
"1002"="%SystemRoot%\system32\mswsock.dll" (data may vary)
"1003"="%SystemRoot%\system32\mswsock.dll" (data may vary)
"1004"="%SystemRoot%\system32\rsvpsp.dll" (data may vary)
"1005"="%SystemRoot%\system32\rsvpsp.dll" (data may vary)
"PathName"="C:\WINDOWS\system32\rundlll.dll" (data may vary)
The following registry keys are modified:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
"PackedCatalogItem"=hex:(data varies) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
"PackedCatalogItem"=hex:(data varies) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
"PackedCatalogItem"=hex:(data varies) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
"PackedCatalogItem"=hex:(data varies) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
"PackedCatalogItem"=hex:(data varies) - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
@=dword:0000000f
Symptoms
- Presence of the files previously mentioned.
- Presence of the registry keys or modifications previously mentioned.
Method of Infection
N/A. Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or other Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Trojan onto the user's system with no user interaction).
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
The removal of this malware can break the normal operation of the TCP/IP stack due to registry key modifications. Instead of inserting an additional LSP, this malware variant replaces existing LSPs and stores the original LSP location in the registry.
This can be repaired manually by using the Registry Editor tool (REGEDIT.EXE). Locations to the original Layered Service Providers (LSP) are stored by the trojan at:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\XSTUDIO_TCPIPDOG
The values under this key named 100# correspond to the original Catalog_Entries\00000000000# PackedCatalogItem values. To repair, the text data from the values must converted to their hexadecimal equivalents and patched over the altered data at the beginning of each "PackedCatalogItem" value. Note that only the initial data needs to be altered, while leaving the rest of the large hex value the same. This will need to be done for each Catalog_Entries\00000000000# PackedCatalogItem value for which a corresponding XSTUDIO_TCPIPDOG 100# value exists.
Example: Using the Catalog_Entries\000000000001 PackedCatalogItem value.
Note that the first section of hexadecimal data below (bold) corresponds to the text "C:\WINDOWS\system32\rundlll.dll", the Trojan LSP file.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem"=hex:43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,\
32,5c,72,75,6e,64,6c,6c,6c,2e,64,6c,6c,00,6c,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,02,00,00,00,00,00,\
00,00,00,00,00,00,00,00,08,00,00,00,a0,1a,0f,e7,8b,ab,cf,11,8c,a3,00,80,5f,\
48,a1,92,e9,03,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,00,00,10,00,00,\
00,10,00,00,00,01,00,00,00,06,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,4d,00,53,00,41,00,46,00,44,00,20,00,54,00,63,00,70,\
00,69,00,70,00,20,00,5b,00,54,00,43,00,50,00,2f,00,49,00,50,00,5d,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00, ... (continues)
So, that altered section must be replaced with the original path data, which is stored by the Trojan in text format. In this case we want the "1001" value, as it corresponds to the Catalog_Entries\000000000001 value being repaired.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\XSTUDIO_TCPIPDOG
"1001"="%SystemRoot%\system32\mswsock.dll"
The text "%SystemRoot%\system32\mswsock.dll" is expressed in hexadecimal as:
25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,6d,73,77,73,6f,63,6b,2e,64,6c,6c
So, to restore this value, this hex data must be patched over the infected entry (bold), restoring it to the original state, while leaving the rest of the hex data the same:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem"=hex:25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,6d,73,77,73,6f,63,6b,2e,64,6c,6c,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,02,00,00,00,00,00,\
00,00,00,00,00,00,00,00,08,00,00,00,a0,1a,0f,e7,8b,ab,cf,11,8c,a3,00,80,5f,\
48,a1,92,e9,03,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,00,00,10,00,00,\
00,10,00,00,00,01,00,00,00,06,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,4d,00,53,00,41,00,46,00,44,00,20,00,54,00,63,00,70,\
00,69,00,70,00,20,00,5b,00,54,00,43,00,50,00,2f,00,49,00,50,00,5d,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00, ... (continues)
Variants