Home / malware TrojanSpy:Win32/Derusbi.A
First posted on 23 August 2011.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Derusbi.A is also known as TROJ_DLLSERV.BE (Trend Micro).
Explanation :
TrojanSpy:Win32/Derusbi.A is a trojan that steals sensitive information from an infected computer, and opens up a backdoor that allows an attacker to gain unauthorized access and control.
Top
TrojanSpy:Win32/Derusbi.A is a trojan that steals sensitive information from an infected computer, and opens up a backdoor that allows an attacker to gain unauthorized access and control. InstallationWhen executed, TrojanSpy:Win32/Derusbi.A copies itself to <system folder>\msusb<random>.dat. The malware makes the following changes to the registry so that its copy is loaded as a service, with the display name "Automatic Updates" at each Windows start:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
Sets value: "ServiceDll"
With data: %Windows%\system32\msusb<random>.dat" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Description"
With data: "Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site." In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "DisplayName"
With data: "Automatic Updates" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "ImagePath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs" The malware creates the following files on an affected computer:Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Once this dropped file is loaded, TrojanSpy:Win32/Derusbi.A deletes it from the disk. Payload
- <system folder>\drivers\{bc87739c-6024-412c-b489-b951c2f17000}.sys - detected as Trojan:WinNT/Derusbi.A
Steals sensitive information
TrojanSpy:Win32/Derusbi.A gathers sensitive information from the infected computer and posts this information to a remote server. It checks the registry, running processes, and queries the computer in order to gather this data. Derusbi.A has been observed gathering the following information from the computer:
- User login name
- I.P. address of computer
- Version of Windows
- IE Proxy Server settings
- Installed Antivirus software names
- User name and password for the systems default mail account, MSN and Outlook
- Stored Internet Explorer Autocomplete usernames and passwords
Derusbi.A also logs keystrokes entered by the user into any active window on the computer. Logged data is saved to the file %Windows%\Temp\ziptmp$1.tmp21.
Contacts remote host
TrojanSpy:Win32/Derusbi.A may contact a remote host at 144.1.111.30 using port 12080.
Analysis by Amir FoudaLast update 23 August 2011