SecurityHome.eu PWS:Win32/VB.CU

Home / malware PDF

PWS:Win32/VB.CU

First posted on 12 July 2011.
Source: SecurityHome
Aliases :
PWS:Win32/VB.CU is also known as Win32/Swisyn.worm.446517 (AhnLab), Trojan.Win32.Swisyn.auzw (Kaspersky), W32/Swisyn.CL (Norman), W32.Gosys (Symantec), PE_MOFKSYS.B-O (Trend Micro).
Explanation :
PWS:Win32/VB.CU is a trojan that steals certain information from the affected computer. It also stops the SharedAccess service and overwrites certain files.

Top

PWS:Win32/VB.CU is a trojan that steals certain information from the affected computer. It also stops the SharedAccess service and overwrites certain files.

Installation

PWS:Win32/VB.CU drops a copy of itself as the following:

<system folder>\explorer.exe

%windir%\spoolsv.exe

%windir%\svchost.exe

Note that these processes are not legitimate Windows applications; these are commonly used by malware files to disguise themselves as legitimate. The legitimate Windows applications are found in the following:

<system folder>\spoolsv.exe

<system folder>\svchost.exe

%windir%\explorer.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Upon execution, PWS:Win32/VB.CU adds the following registry key as part of its installation routine:

In subkey:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
or
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
Sets value: "StubPath"
With data: "%AppData%\mrsys.exe MR"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "Explorer"
With data: "<system folder>\explorer.exe RO"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "Svchost"
With data: "%windir%\svchost.exe RO"

It also modifies the the following registry key so that its copy automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%windir%\explorer.exe, <system folder>\explorer.exe"

PWS:Win32/VB.CU also creates a scheduled job to activate its dropped copy. The scheduled job file is saved as "%windir%\task\At1.job".

Payload

Disables network services
PWS:Win32/VB.CU disables the SharedAccess service which is responsible for the systems network connection activity.

Steals sensitive information
This password stealer logs clicks, keystrokes and window titles. It also collects the following information:

email configuration (user name, password, email recipients, SMTP server, server port, authentication status, whether it is using SSL)

instant messenger credentials

downloaded files

websites visited

search keywords

operating system

Internet browser and version

software installed in the system

clipboard contents

desktop captures

network shared resources connected to the computer

Overwrites files
PWS:Win32/VB.CU overwrites executable files found in the same folder in which it was initially executed.

Additional information

PWS:Win32/VB.CU enables and starts the Schedule service to make sure the created scheduled job executes its dropped copy every day. To prevent its detection in the affected computer, it terminates its own processes.

Analysis by Zarestel Ferrer

Last update 12 July 2011

TOP

Malware :

Last 20

PWS:Win32/VB.CU

Aliases :

Explanation :

Malware :

Family: