Home / malware Trojan:Win32/Sanusra.A
First posted on 09 December 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Sanusra.A.
Explanation :
Threat behavior
Installation
The trojan is dropped to the following location by its installer:
%APPDATA% \Clip Converter\clipcnv.dll
It adds a driver service so the malware runs after installation and then automatically each time you start your PC:
In subkey: HKLM\SYSTEM\ControlSet001\Services\08ec64fe
Sets value: "ImagePath"
With data: "\\rundll32.exe" "%APPDATA%\\Clip Converter\\clipcnv.dll",serv"
Sets value: "DisplayName"
With data: "ClipCnv"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Type"
With data: dword:00000010
Sets value: "Start"
With data: dword:00000002
Sets value: "ErrorControl"
With data: dword:00000000
The trojan also creates the following configuration registry entries as part of its installation process:
In subkey: HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_08ec64fe
Sets value: "date"
With data: ""
Sets value: "dlpath"
With data: "%APPDATA%\\clipco~1\\clipcnv.dll"
Sets value: "svpath"
With data: "%APPDATA%\\Clip Converter\\clipcnv.dll"
Sets value: "Install_Dir"
With data: "%APPDATA%\\Clip Converter\\"
Sets value: "version"
With data: dword:015007da
Sets value: "uuid"
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "state"
With data: dword:00000000
Sets value: "mode"
With data: dword:f0000000
Sets value: "svn"
With data: "ClipCnv"
In subkey: HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_08ec64fe
Sets value: "uuid "
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "date"
"With data: ""
Sets value: "data.0"
"With data: ""
Sets value: "data.1"
"With data: ""
Sets value: "usr.0"
"With data: ""
Sets value: "usr.1"
"With data: ""
Sets value: "uuid"
"With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "lrts"
"With data: dword:00000000
Sets value: "mode"
"With data: dword:f0000000
Sets value: "iiid"
"With data: dword:00000001
In subkey: HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_08ec64fe
Sets value: "uuid "
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "date"
With data:
Sets value: "data.0"
With data:
Sets value: "data.1"
With data:
Sets value: "usr.0"
With data:
Sets value: "usr.1"
With data:
Sets value: "version"
With data: 015007da
Sets value: "uuid"
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "state"
With data: 00000000
Sets value: "lrts"
With data: 00000000
Sets value: "mode"
With data: f0000000
Sets value: "svn"
With data: "ClipCnv"
Sets value: "svx"
With data: ""
Sets value: "svi"
With data: 00000000
Sets value: "svt"
With data: 546bd04d
Sets value: "iiid"
With data: 00000001
Sets value: "dlpath"
With data: "%APPDATA%\\clipco~1\\clipcnv.dll"
Sets value: "svpath"
With data: "%APPDATA%\\Clip Converter\\clipcnv.dll"
Sets value: "Install_Dir"
With data: "%APPDATA%\\Clip Converter\\"
Payload
Sends information to a remote server
The trojan checks your PC's Internet connection by trying to connect to the following websites:
- bbc.com
- storagers.com
- thesunning.com
- time.nist.gov
- time.windows.com
- yahoo.com
If it confirms Internet connectivity, it sends encrypted information about your PC to a remote server.
Analysis by Rex Plantado
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\Clip Converter\clipcnv.dll
- You see these entries or keys in your registry:
In subkey: HKLM\SYSTEM\ControlSet001\Services\08ec64fe
Sets value: "ImagePath"
With data: "\\rundll32.exe" "%APPDATA%\\Clip Converter\\clipcnv.dll",serv"
Sets value: "DisplayName"
With data: "ClipCnv"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Type"
With data: dword:00000010
Sets value: "Start"
With data: dword:00000002
Sets value: "ErrorControl"
With data: dword:00000000
In subkey: HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_08ec64fe
Sets value: "date"
With data: ""
Sets value: "dlpath"
With data: "%APPDATA%\\clipco~1\\clipcnv.dll"
Sets value: "svpath"
With data: "%APPDATA%\\Clip Converter\\clipcnv.dll"
Sets value: "Install_Dir"
With data: "%APPDATA%\\Clip Converter\\"
Sets value: "version"
With data: dword:015007da
Sets value: "uuid"
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "state"
With data: dword:00000000
Sets value: "mode"
With data: dword:f0000000
Sets value: "svn"
With data: "ClipCnv"
In subkey: HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_08ec64fe
Sets value: "uuid "
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "date"
"With data: ""
Sets value: "data.0"
"With data: ""
Sets value: "data.1"
"With data: ""
Sets value: "usr.0"
"With data: ""
Sets value: "usr.1"
"With data: ""
Sets value: "uuid"
"With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "lrts"
"With data: dword:00000000
Sets value: "mode"
"With data: dword:f0000000
Sets value: "iiid"
"With data: dword:00000001
In subkey: HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_08ec64fe
Sets value: "uuid "
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "date"
With data:
Sets value: "data.0"
With data:
Sets value: "data.1"
With data:
Sets value: "usr.0"
With data:
Sets value: "usr.1"
With data:
Sets value: "version"
With data: 015007da
Sets value: "uuid"
With data: "baadc0de-baadbeef-acc0e9de"
Sets value: "state"
With data: 00000000
Sets value: "lrts"
With data: 00000000
Sets value: "mode"
With data: f0000000
Sets value: "svn"
With data: "ClipCnv"
Sets value: "svx"
With data: ""
Sets value: "svi"
With data: 00000000
Sets value: "svt"
With data: 546bd04d
Sets value: "iiid"
With data: 00000001
Sets value: "dlpath"
With data: "%APPDATA%\\clipco~1\\clipcnv.dll"
Sets value: "svpath"
With data: "%APPDATA%\\Clip Converter\\clipcnv.dll"
Sets value: "Install_Dir"
With data: "%APPDATA%\\Clip Converter\\"
Last update 09 December 2014
