Home / malwarePDF  

Worm:Win32/Rochap.A


First posted on 25 January 2012.
Source: Microsoft

Aliases :

Worm:Win32/Rochap.A is also known as Trojan.Win32.Buzus (Ikarus), TROJ_SPNR.0CLI11 (Trend Micro).

Explanation :

Worm:Win32/Rochap.A is a worm that spreads by sending out copies of itself via Windows Live instant messages. It also sends the user's Windows Live credentials to a remote server. It also drops another file, which is detected as TrojanDownloader:Win32/Rochap.R.


Top

Worm:Win32/Rochap.A is a worm that spreads by sending out copies of itself via Windows Live instant messages. It also sends the user's Windows Live credentials to a remote server. It also drops another file, which is detected as TrojanDownloader:Win32/Rochap.R.



Installation

Worm:Win32/Rochap.A drops itself as the following file:

%APPDATA%\google_tool_bar_notification<3-digit random number>.exe

It injects its code into "iexplore.exe".

Worm:Win32/Rochap.A modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Googlee Tooll Bar Notification Env"
With data: "%APPDATA%\google_tool_bar_notification<3-digit random number>.exe"

It creates a mutex, such as "enviador", to ensure that only one instance of itself is running in the computer.

Spreads via

Instant messages

Worm:Win32/Rochap.A attempts to look for Windows Live account credentials. If found, it uses the account to send instant messages to the user's contacts containing a link to a copy of itself.



Payload

Worm:Win32/Rochap.A drops an archived file named "%APPDATA%\*.zip" that contains a file named "<random alphanumeric characters>_DOC.SCR". This file is detected as TrojanDownloader:Win32/Rochap.R.

Steals information

Worm:Win32/Rochap.A can perform various HTTP transactions in which it checks if a certain server is online or not. If the server is offline, Worm:Win32/Rochap.A cancels the transaction. Otherwise, Worm:Win32/Rochap.A sends the stolen Windows Live credentials via its own SMTP server to a remote attacker.



Analysis by Marianne Mallen

Last update 25 January 2012

 

TOP

Malware :

Family: