Home / malware Trojan:Win32/Wisp.gen!A
First posted on 20 November 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Wisp.gen!A is also known as Backdoor.Win32.Sykipot.am (Kaspersky), Backdoor.Sykipot.J (VirusBuster), Dropper.Generic2.BNQT (AVG), TR/Wisp.27649.A.2 (Avira), Trojan.Heur.RP.jqZ@aawslNib (BitDefender), Trojan.MulDrop1.46814 (Dr.Web), Win32/Wisp.A (ESET), Backdoor.Win32.Sykipot (Ikarus), Dropper.Win32.Undef.GEN (Rising AV), Troj/Agent-PBK (Sophos), BACKDOOR.Trojan (Symantec), TROJ_WISP.DUKKS (Trend Micro).
Explanation :
Trojan:Win32/Wisp.gen!A is a generic detection for a trojan family that steals system information from the compromised computer, allowing an attacker to gain unauthorized access to the system in order to perform various malicious actions, including downloading and uploading files.
Top
Trojan:Win32/Wisp.gen!A is a generic detection for a trojan family that steals system information from the compromised computer, allowing an attacker to gain unauthorized access to the system in order to perform various malicious actions, including downloading and uploading files. Installation When executed, Trojan:Win32/Wisp.gen!A copies itself to the %TEMP% directory, and then modifies the registry so this copy is executed at each Windows start. In the wild, it has copied itself using file names such as those listed below:adobeupdate.exe nsunday.exe msasp.exe ctrl.exe eparty.exe It then makes the following registry modification so that this dropped copy is executed at each windows start: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: <filename> With data: %TEMP%\<filename.exe> -installkys For example, if it copies itself to %TEMP%\adobeupdate.exe, it makes the following registry modification: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: adobeupdate With data: %TEMP%\adobeupdate.exe -installkys The trojan then drops a DLL in the %TEMP% directory, setting its creation date and time to that of svchost.exe. The file name of this DLL also varies, and can have a name such as:bsunday.dll nsunday.dll wofaxgui.dll epart.dll wracing.dll The trojan checks if the following processes are running, and injects this DLL into the memory space of one of them:iexplore.exe outlook.exe firefox.exe This DLL is also detected as Trojan:Win32/Wisp.gen!A and performs the main payload. Payload Steals system information Trojan:Win32/Wisp.gen!A contacts a script on a particular domain through HTTPS (Hypertext Transfer Protocol Secure) in order to send sensitive information retrieved from the system. Domains it may contact include:hotgreenlight.com defense-association.com marinetimemac.com mysundayparty.com Information it sends to these domains includes:Computer name I.P.address Proxy server and port number Backdoor functionality Trojan:Win32/Wisp.gen!A downloads a configuration file that may contain commands instructing the trojan to perform the following actions on the compromised computer:Download files Upload files Execute commands through the command prompt Get a list of processes running on the system Reboot the system Steal passwords Terminate processes Retrieve the Remote Desktop Control (RDP) listening port number Additional information The trojan creates and deletes a number of files in the %TEMP% directory during its execution, using them to store configuration data and other information gathered by the trojan from the computer. For example, one sample was observed to create the following files:pdnsunday.tmp gdnsunday.tmp pnsunday.tmp gnsunday.tmp
Analysis by Amir FoudaLast update 20 November 2010
