Home / malwarePDF  

Trojan-Spy:W32/Montp


First posted on 20 August 2010.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Spy:W32/Montp.

Explanation :

A trojan that secretly installs spy programs, such as keyloggers.

Additional DetailsTrojan-Spy:W32/Montp identifies a powerful data-stealing program that collects information from users of numerous on-line banks and sends the collected data to a hacker by uploading specially created files to an ftp server. The trojan can also download and run additional files from ftp and http servers.

To disguise its actions, Montp utilizes stealth techniques.

The first Montp variant was first discovered in April 2004. The last, Montp.F variant was found on 6-7th of June 2004.

Installation

The trojan's main file is a PE executable 44032 bytes long packed with PECompact file compressor. The Trojan drops a DLL file which is 241664 bytes long and is not packed. When the executable file is run, it installs itself to the system.

During installation, the trojan copies its file to a folder named '\qmin\ subfolder' in the Windows System folder using a randomly generated name, for example 'adpgcjca.exe'.

Then a DLL file named 'qmin2.dll' is dropped to Windows System folder and activated. This DLL is used to hook certain APIs in order to intercept HTTPS requests. It also hides the malware's files and Registry keys (stealth).

Also the 'xtempx.xxx' file is created by the Trojan in Windows System folder.

Data Theft

The dropped DLL component checks if a user opens any of the following URLs using HTTPS protocol (bank names are replaced with ):

€ .co.uk € .co.uk € .com € .tv € .com € .com € .com.au € .com.au € .com € .co.uk € .co.uk € .com € .co.uk € .co.uk € .co.uk € .com € .com.au € .com € .com € .co.nz € .com € .com € .com € .se € .com.vn € .com € .com € .com € .de € .com € .com € .com € .com.hk € .com € .com € .com € .com € .com.au € .com € .de € .com.my € .com.my € .de € .com.au € .com € .net.au € .com € .com € .com € .com € .com € .com € .com € .com € .com.au € .com € .de € .de € .com.hk € .com € .com € .com € .com € .com.au € .com € .co.nz € .co.nz € .com € .com.au € .com.au € .com € .com
If a user opens any of those URLs (which mostly belong to on-line banks), the Trojan's DLL creates a file with a corresponding name. However, for several URLs the Trojan creates a file with a common name. The following files are created by the Trojan:

€ _co_uk.pst € _co_uk.pst € _com.pst € .pst € _com.pst € .pst € _com_au.pst € _com_au.pst € _com.pst € _CO_UK.pst € _CO_UK.pst € _COM.pst € _CO_UK.pst € _co_uk.pst € _co_uk.pst € instant1f.pst (used for several URLs)
Also the Trojan's DLL checks for URLs containing any of the following strings:

€ zwallet.com € .cl € .ru € .ua € .o2.co.uk € ytv.com € yourastrologysite.com € .edu € yes.com.hk € yagma.com € mail € serviticket.com € sierraclub.org € wrem.sis.yorku.ca € worth1000.com € worldwinner.com € delawarenorth.com € .bg € uwaterloo.ca € t-mobile.com € .ac.uk € willhill.com € bigpond.net.au € intel.com € webzdarma.cz € nwa.com € sap-ag.de € guidehome.com € microsoft.com € .il € .ust.hk € .fi € .ac.nz € .sk € .ac.at € unb.ca € ubc.ca € sheridanc.on.ca € queensu.ca € mcmaster.ca € mcgill.ca € carleton.ca € douglas.bc.ca € .hr € comcast.net € webassign.net € there.com € uoguelph.ca € uottawa.ca € .jp € ych.com € icq.com € .tw € watchguard.com € walgreens.com € aircanada.ca € ibm.com € opusit.com.sg € vutbr.cz € vpost.com.sg € .md € vodafone € virginmobileusa.com € virginblue.com.au € mcafee.com € videotron.com € victoriassecret.com € veloz.com € vasa.slsp.sk € .com € uscitizenship.info € uscden.net € usafis.org € yesasia.com € ups.com € ucas.co.uk € uwindsor.ca € uoguelph.ca € unixcore.com € united.intranet.ual.com € preschoicefinancial.com € yorku.ca € trustinternational.com € trust1.com € trivita.com € travelcommunications.co.uk € travelclub.swiss.com € travel.priceline.com € travel.com.au € towerhobbies.com € game € hp.com € iprimus.com.au € iinet.net.au € music € ssdcl.com.sg € datasvit.net € starhubshop.com.sg € 012.net € stanfordalumni.org € .cz € tdcwww.net € tmi-wwa.com € tm.net.my € tirerack.com € ti.com € ultrastar.com € ticketmaster.com € three.com.hk € theaa.com € tepore.com € recruitsoft.com € freedom.net € telstra.com € telpacific.com.au € techdata.com € quickbooks.com € tbihosting.com € inlandrevenue.gov.uk € symantec € sony € .kz € dell € cablebg.net € supergo.com € look.ca € maximonline.com € streamload.com € apple.com € puma.com € a-net.com € webtrendslive.com € gigaisp.net € ihost.com € monster.com € .sok € lanck.net € farlep.net € .kr € speedera.net € kundenserver.de € ingrammicro.com € campoints.net € ains.com.au € srp.org.sg € sqnet.com.sg € adaptec.com € worldgaming.net € sportodds.com € sportingbet.com € spiritair.com € swamp.lan € soundclick.com € hkuspace.org € soccer.com € solo3..fi € snapfish.com € cometsystems.com € flextronics.com € esdlife.com € site-secure.com € singaporeair.com € sims.sfu.ca € simplyhotels.com € singnet.com.sg € silicon-power.com € signup.sprint.ca € shutterfly.com € shopundco.com € zoovy.com € go-fia.com € shoppersoptimum.ca € shopadmin.daum.net € o2online.de € ecompanystore.com € shkcorpws5.shkp.com € sfa.prudential.com.sg € hku.hk € vodafone.co.uk € cic.gc.ca € sfgov.org € rogers.com € macau.ctm.net € xs4all.nl € sympatico.ca € ariba.com € liveperson.net € sephora.com € senecac.on.ca € canon-europe.com € xtra.co.nz € t-mobile.co.uk € selfmgmt.com € securitymetrics.com € securewebexchange.com € western-inventory.com € playstation.com € imrworldwide.com € secureserver.net € secureordering.com € imrworldwide.com € securecart.net € wn.com.au € webeweb.net € mgm-mirage.com € w2express.com € vandyke.com € ubi.com € tsn.cc € trekblue.com € tickle.com € thewheelconnection.com € telusmobility.com € starbiz.net.sg € sparknotes.com € sparkart.com € sms.ac € billerweb.com € shaw.ca € safesite.com € register.com € oztralia.com € ordering.co.uk € orcon.net € optusnet.com.au € onlineaccess.net € oberon-media.com € nzqa.govt.nz € novuslink.net € nike.com.hk € netspeed.com.au € netfirms.com € netbilling.com € nai.com € nacelink.com € mysylvan.com € mouse2mobile.com € .com.au € lkw-walter.com € kent.net € reuters.com € intuitcanada.com € infusion-studios.com € indigosp.com € idx.com.au € hotbar.com € hostdozy.com € hilton.com € gevalia.com € fredericks.com € ezpeer.com € europeonline.com € e-registernow.com € emetrix.com € elsevier € element5.com € elance.com € earthport.com € directsex.com € directnic.com € deluxepass.com € delias.com € konetic.org € customersvc.com € c1hrapps.com € bnpparibas.net € .com € bearshare.com € authorize.net € advisor.com € adultfriendfinder.com € acadiau.ca € yimg.com € sebra.com € seatbooker.net € searchfit.org € eutelsat.net € carleton.ca € upjs.sk € scicollege.org.sg € sciamdigital.com € ebay € s-central.com.au € sbc.com € samsunggsbn.com € sammikk.com
Information from webpages intercepted this way is collected in the file named 'global1f.pst'. The trojan's EXE file then processes PST files created by the DLL component, except for the files 'instant1f.pst' and 'global1f.pst', which are uploaded to an FTP site 'as is'.

After processing the PST files created for certain banks, the Trojan creates corresponding .INI files with such information as user's name, customer ID, date of birth, passwords, PINs, account numbers and other important information. The following files are created after processing of bank-related PST files:

€ _co_uk.ini € .ini € _co_uk.ini € .ini € .ini € .ini € .ini € .ini € _co_au.ini € .ini € .ini € .ini € .ini € .ini
The files with collected data are uploaded to an ftp site to directories named 'MAIN', 'FILT' and 'SPAM'. Sorted stolen data from major banks stored in .INI files is uploaded to the 'MAIN' folder, data stolen from other banks, stored in 'instant1f.pst' file is uploaded to 'FILT' folder and finally the 'global1f.pst' file with data collected from different URLs is uploaded to SPAM folder.

Payload

Montp modifies the HOSTS file to redirect the domain name 'web.da-us.citibank.com' to the IP address 66.98.244.59.

The malware attempts to download and run a file named 'update8.exe' from the 'www.projecx.net' website. At the moment of creation of this description, that file was not accessible any more. Additionally the Trojan attempts to download and run the file named 'update.exe' from an ftp server where the trojan uploads stolen data.

The trojan also sets 'about:blank' page as IE startup page.

Montp looks for and terminates processes with the following names:

€ ARMOR2NET.EXE € SAVSCAN.EXE € NPROTECT.EXE € NVSVC32.EXE € _AVP32.EXE € _AVPCC.EXE € _AVPM.EXE € ACKWIN32.EXE € ANTI-TROJAN.EXE € APVXDWIN.EXE € AUTODOWN.EXE € AVCONSOL.EXE € AVE32.EXE € AVGCTRL.EXE € AVKSERV.EXE € AVNT.EXE € AVP.EXE € AVP32.EXE € AVPCC.EXE € AVPDOS32.EXE € AVPM.EXE € AVPTC32.EXE € AVPUPD.EXE € AVSCHED32.EXE € AVWIN95.EXE € AVWUPD32.EXE € BLACKD.EXE € BLACKICE.EXE € CFIADMIN.EXE € CFIAUDIT.EXE € CFINET.EXE € CFINET32.EXE € CLAW95.EXE € CLAW95CF.EXE € CLEANER.EXE € CLEANER3.EXE € DVP95.EXE € DVP95_0.EXE € ECENGINE.EXE € ESAFE.EXE € ESPWATCH.EXE € F-AGNT95.EXE € FINDVIRU.EXE € FPROT.EXE € F-PROT.EXE € F-PROT95.EXE € FP-WIN.EXE € FRW.EXE € F-STOPW.EXE € IAMAPP.EXE € IAMSERV.EXE € IBMASN.EXE € IBMAVSP.EXE € ICLOAD95.EXE € ICLOADNT.EXE € ICMON.EXE € ICSUPP95.EXE € ICSUPPNT.EXE € IFACE.EXE € IOMON98.EXE € JEDI.EXE € LOCKDOWN2000.EXE € LOOKOUT.EXE € LUALL.EXE € MOOLIVE.EXE € MPFTRAY.EXE € N32SCANW.EXE € NAVAPW32.EXE € NAVLU32.EXE € NAVNT.EXE € NAVW32.EXE € NAVWNT.EXE € NISUM.EXE € NMAIN.EXE € NORMIST.EXE € NUPGRADE.EXE € NVC95.EXE € OUTPOST.EXE € PADMIN.EXE € PAVCL.EXE € PAVSCHED.EXE € PAVW.EXE € PCCWIN98.EXE € PCFWALLICON.EXE € PERSFW.EXE € RAV7.EXE € RAV7WIN.EXE € RESCUE.EXE € SAFEWEB.EXE € SCAN32.EXE € SCAN95.EXE € SCANPM.EXE € SCRSCAN.EXE € SERV95.EXE € SMC.EXE € SPHINX.EXE € SWEEP95.EXE € TBSCAN.EXE € TCA.EXE € TDS2-98.EXE € TDS2-NT.EXE € VET95.EXE € VETTRAY.EXE € VSCAN40.EXE € VSECOMR.EXE € VSHWIN32.EXE € VSSTAT.EXE € WEBSCANX.EXE € WFINDV32.EXE € ZONEALARM.EXE
Most of these names belong to anti-virus and firewall software.

Registry Changes

The startup key is created for the Trojan's executable file in the Registry:

€ [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"qmin" = "%WinSysDir"\qmin\.exe"
Additionally, the Trojan creates the following Registry keys:

€ [HKCU\Software\Microsoft\Windows\CurrentVersion]
"qmin" € [HKCU\Software\Microsoft\Windows\]
"qmax"
The last key is set at the beginning of data stealing process and then deleted.

Last update 20 August 2010

 

TOP