Home / malwarePDF  

Worm:Win32/Boychi.A


First posted on 25 August 2012.
Source: Microsoft

Aliases :

Worm:Win32/Boychi.A is also known as BackDoor.DaVinci.1 (Dr.Web), Backdoor.Win32.Korablin.a (Kaspersky), TR/Spy.Bakefoe.A (Avira), W32.Crisis (Symantec).

Explanation :



Worm:Win32/Boychi.A is a password-stealing worm that is capable of spreading onto different platforms, including Windows mobile devices running WinCE, computers running the VMware virtual machine software, and USB drives.



Installation

Worm:Win32/Boychi.A may be downloaded from malicious or compromised websites, possibly as a drive-by-download or via an exploit.

When run, Worm:Win32/Boychi.A drops six files, one of which will be the worm's DLL component, into the folder "%USERPROFILE%\local settings\wxgj_b33", with a random file name. In the wild, we have observed the following file names:

  • bq1ipprr.6rs
  • expi7gss.r6v
  • lj8rkdqq.c7h
  • lvcy-c11.9gx
  • rlfekkbb.-cw
  • uanbpcnn.vlx


When run, Worm:Win32/Boychi.A drops six files, one of which will be the worm's DLL component, into the folder "%USERPROFILE%\local settings\jlc3v7we", with a random file name. In the wild, we have observed the following file names:

  • 6eaqyffo.zik
  • eiynz1gd.cfp
  • izsroy7x.-mp
  • lunsa3ci.bz7
  • t2hbeam5.ouk
  • wep1xpbu.wa-


Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista and 7, the default location is "C:\Users\<user name>".

Worm:Win32/Boychi.A modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>", for example "*d-WBqPP"
With data: "%SystemRoot%\System32\rundll32.exe %USERPROFILE%\local settings\<random folder>\<random DLL name>"

Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".

Spreads via...

Removable drives

Worm:Win32/Boychi.A copies itself to the following devices that are connected to your computer:

  • Windows mobile device running WinCE
  • USB drives


Worm:Win32/Boychi.A also copies itself to VMware virtual machines.

The worm then writes an Autorun configuration file named "autorun.inf" on removable drives, pointing to the worm copy.

It should also be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Payload

Injects code into processes

The malware injects the dropped DLL component into all available running processes to ensure that it will be run using the system process "rundll32.exe" and launched at each Windows start.

Steals sensitive information

The malware attempts to steal logon credentials from a number of different sources, which it sends to a remote host.

Note: At the time of analysis we were unable to determine the list of remote hosts.

Worm:Win32/Boychi.A may target the following sources for logon credentials:

  • Chat clients
    Trillian
    Yahoo
    MSN
    AIM
    Google Talk
    Skype
  • Browsers
    Internet Explorer
    Chrome
    Firefox
    Opera
  • Mail clients
    Outlook
    Mozilla Thunderbird


Worm:Win32/Boychi.A may also capture additional information about your computer, including the following:

  • Your operating system information
  • Your Internet browsing history
  • Your clipboard data
  • Keystrokes
  • Video/voice and screenshots




Analysis by Patrick Estavillo

Last update 25 August 2012

 

TOP

Malware :

Family: