Home / malwarePDF  

Win32/Shiotob


First posted on 09 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Shiotob.

Explanation :

Threat behavior

Installation

We have seen malware in the Win32/Shiotob family hidden in a .zip file and attached to spam email. We have seen the attachment use the following file names:

  • Booking_Hotel_Reservation_Details_<some strings>.zip
  • DHL-International-Delivery-Notification_<some strings>.zip
  • DHL-Worldwide-Delivery-Notification-<some strings>.zip
  • DHL_Express_POST-NOTIFICATION_<some strings>.zip
  • DHL_ONLINE_SHIPPING_PREALERT_<some strings>.zip


In this case, <some strings> are random and can include dates and random text, for example DHL_Express_POST-NOTIFICATION_28FEB_4S1XFSR9.zip.

Variants of Win32/Shiotob can drop a copy of themselves with a random file name to one of the following folders:

  • %APPDATA%
  • %Systemdir%


Example file names include:

  • execoumixer.exe
  • playwd.exe
  • winquser.exe
  • winzhlp.exe


The trojan tries to hide from your security software by injecting its code into the following Windows processes:

  • csrss.exe
  • explore.exe
  • iexplore.exe
  • svchost.exe


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
Sets value: "Debugger"
With data: "<malware path>" for example C:\Windows\System32\execoumixer.exe

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "random value name" for example, "winzhlp" or "winquser"
With data: "<malware path> -autorun", for example "%APPDATA%\winquser.exe"

It creates the following registry subkey containing a binary value to save stolen information:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\<version number>\<random string>
Sets value: (default)
With data: "<binary values>"

Note: <version number> refers to your operating system version, for example "5.0"

Payload

Changes browser settings

The trojan modifies registry entries to change your Internet settings.

It disables the option to specify your own proxy for connecting to websites via local area network:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Modifies value: "ProxyEnable"
With data: "0"

It ensures that Internet Explorer always starts in online mode:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Modifies value: "GlobalUserOffline"
With data: "0"

Steals your sensitive information

This malware injects its code into the following Internet browser processes to monitor what you do online and steal your sensitive information, such as your user names and passwords:

  • avant.exe
  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • maxthon.exe
  • mozilla.exe
  • myie.exe
  • opera.exe


It also injects its code into the following processes to steal your FTP and email user names and passwords:

  • cftp.exe
  • coreftp.exe
  • coreftp.exe
  • filezilla.exe
  • ftpte.exe
  • ftpte.exe
  • FTPVoyager.exe
  • msimn.exe
  • outlook.exe
  • SmartFTP.exe
  • thebat.exe
  • totalcmd.exe
  • WinSCP.exe


Sends your information to a remote server

Some variants, such as TrojanSpy:Win32/Shiotob.A, collect the following information about your PC:

  • Operating system version
  • Service pack
  • IP address
  • User access control (UAC) status (on or off)


It also gathers email addresses from your PC's Windows Address Book.

The collected information is sent to remote web servers. We have seen this malware try to connect to the following sites:

  • armyclub.netquickring.net
  • bodoyizu.com
  • ckirarhobrw.mrbasic.com
  • eotukposed.sendsmtp.com
  • ereso.net
  • evishop.net
  • firerice.com
  • genubajom.servegame.com
  • lahobenom.servegame.com
  • nepcuibeg.sytes.net
  • oraomana.cc
  • peertag.com
  • quickring.net
  • ricepad.net
  • rivadolti.sendsmtp.com
  • ropohexa.com
  • safeoil.net
  • tamnia.com
  • tekiharob.sytes.net
  • ufoconklpef.sytes.net
  • uvoceconeht.myftp.org


The remote server can also send further instructions to the malware, including:

  • Download and run files
  • Remove itself from the system
  • Update itself




Analysis by Jonathan San Jose

SymptomsThe following could indicate that you have this threat on your PC:
  • You receive these files as an attachment:
    • Booking_Hotel_Reservation_Details_<some strings>.zip
    • DHL-International-Delivery-Notification_<some strings>.zip
    • DHL-Worldwide-Delivery-Notification-<some strings>.zip
    • DHL_Express_POST-NOTIFICATION_<some strings>.zip
    • DHL_ONLINE_SHIPPING_PREALERT_<some strings>.zip
  • You have thee files in your computer:
    • execoumixer.exe
    • playwd.exe
    • winquser.exe
    • winzhlp.exe
  • You see these entries or keys in your registry:


In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
Sets value: "Debugger"
With data: "<malware path>" for example C:\Windows\System32\execoumixer.exe

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "random value name" for example, "winzhlp" or "winquser"
With data: "<malware path> -autorun", for example "%APPDATA%\winquser.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\<version number>\<random string>
Sets value: (default)
With data: "<binary values>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Modifies value: "ProxyEnable"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Modifies value: "GlobalUserOffline"
With data: "0"

Last update 09 October 2013

 

TOP

Malware :