Home / malware Trojan:Win32/Suweezy
First posted on 14 September 2016.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Suweezy.
Explanation :
Installation
This threat is commonly installed by BrowserModifier:Win32/Sasquor.
When first run, this threat might make multiple copies of itself to locations such as these:
- C:\Program Files (x86)\SoSoIm_3\SoSoIm3.exe
- C:\Program Files (x86)\SoSoIm_4\SoSoIm4.exe
- C:\Program Files (x86)\SoSoIm_5\SoSoIm5.exe
- C:\Program Files (x86)\SoSoIm_6\SoSoIm6.exe
- C:\Users\MSUser.Default\Help_3\CfHelp33.exe
- C:\Users\MSUser.Default\Help_4\CfHelp44.exe
- C:\Users\MSUser.Default\Help_5\CfHelp55.exe
- C:\Users\MSUser.Default\Help_6\CfHelp66.exe
It can also create serveral services to run these automatically on Windows start-up, for example:
- service:BSSoEasySvc3
- service:BSSoEasySvc4
- service:BSSoEasySvc5
- service:BSSoEasySvc6
- service:ZSHelper33
- service:ZSHelper44
- service:ZSHelper55
- service:ZSHelper66
We have seen the service description as: "The SoEasy service that aims to offer search easlisy".
When one of the Suweezy executables runs, it may temporarily write a DLL file for example,
C:\Program Files (x86)\SoSoIm_3\launcher.dll
and launch it using rundll32.exe:
rundll32 "C:\Program Files (x86)\SoSoIm_3\launcher.dll",DllReg
This DLL is deleted after it finishes running.
Payload
Excludes folders from being scanned by anti-malware products
The DLL is responsible for this threat's payload. It attempts to add several folders to the list of folders that Windows Defender excludes from scanning, by adding registry entries such as these:
In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_4\"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_5\"
With data:"0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_6\"
With data:"0x00000000"
It also tries to add similar entries for Microsoft Security Essentials/System Center Endpoint Protection exclusions, for example:
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\"
With data:"0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_4\"
With data:"0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_5\"
With data:"0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_6\"
With data: "0x00000000"
In addition, it attempts to exclude the same folders from scanning by Avast, AVG, and Avira anti-malware scanners, by writing these files:
- C:\ProgramData\AVAST Software\Avast\exclusions.ini
- C:\ProgramData\Avg\AV\DB\exceptions.dat
- C:\ProgramData\Avira\Antivirus\CONFIG\AVWIN.INI
Note: This threat might create these files even if the anti-malware applications are not installed.
Analysis by: Hamish O'DeaLast update 14 September 2016