Trojan.Win32.VB.qms

by Atlantis on April 11th, 2013 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 135168 bytes
Language: Visual Basic
MD5: 3b342eeb7b7496b8c21b7dc1e8640eb6
SHA256: 02b10491765333205f8daaccd93d1a619c76c191419a4fe0b96647f94630a05b
Aliases: Trojan:Win32/Diacam.A (Microsoft), Trojan.Win32.Jorik.Mokes.cbk (Kaspersky), Win32/VB.QMS (ESET-NOD32), W32/VBagent.B.gen!Eldorado (F-Prot)

Summary

Trojan.Win32.VB.qms is a Trojan program designed to steal confidential data as well as provide a remote access to the computer without user’s knowledge or consent. The following are strings displayed in the file information:

Technical Details

Installation

Being launched, the Trojan copies its executable file and saves it with the following name:

%Documents and Settings%\%Current User%\Application Data\india gamcaa\indiagamcaa.exe

To automatically run itself each time Windows is booted, the Trojan adds a following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"indiagamcaaa" = "C:\Documents and Settings\test\Application Data\india gamcaa\indiagamcaa.exe"

The Trojan creates a file of the command interpreter under a random name:

%Temp%\<rnd>.bat

where it stores commands to modify the registry key. The Trojan then runs a BAT file using the command line. Afterwards, the file is deleted.

Payload

The Trojan performs the following HTTP request:

http://206.167.78.22/PostView.nhn?blogId=windowupdate&logNo=150110424974&parentCategoryNo=1&viewDate=&currentPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined

The Trojan modifies Internet Explorer security zones as follows:

  • All URL addresses are mapped to the Intranet Zone;
  • All web-nodes connected bypassing proxy server are mapped to the Intranet Zone;
  • All local web-nodes, which do not have points and do not refer to any Zone, are mapped to the Intranet Zone.

The Trojan adds the following keys to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

as well as removes the following registry key parameters:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The Trojan then injects its code into the address space of the following processes: "explorer.exe", "winlogon.exe". In addition, it injects a part of its decrypted code to the address space of its process: "indiagamcaa.exe". As a result, the Trojan can execute functionality with higher system privileges. The Trojan disables user account control (UAC), resetting a system registry parameter to “0”.

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"

To provide a remote access to the computer, the malware opens port 3360/TCP. The Trojan tries to install a network connection to the C&C server located at:

killerlgg.no-ip.biz:3360

When connecting to the C&C server, the Trojan sends a key word : "Password". Results of the operations performed by the Trojan are logged and stored encrypted:

%Documents and Settings%\%Current User%\Application Data\Log.dat

The Trojan collects and steals the following confidential information:

  • Accounts, saved passwords in Mozilla Firefox, Opera, Google Chrome, Chromium, Internet Explorer.
  • Accounts and mail server settings in MS Outlook, Mozilla Thunderbird.
  • Confidential data of the Mozilla SeaMonkey application set.
  • IM accounts of Pidgin, MSN.

To extract data from the encrypted "signons.sqlite" Firefox base, the malware uses Mozilla crypto API (PK11_GetInternalKeySlot, PK11_Authenticate, NSSBase64_DecodeBuffer, PK11SDR_Decrypt).

The malicious program acts as a network bot that can perform the following actions depending on the command sent by the C&C server:

  • Act as a Proxy server.
  • Implement HTTP requests.
  • Download and launch for execution executable files.
  • Capture a screen shot of the desktop.
  • Execute keylogger functionality.
  • Perform operations on the windows.
  • Delete set processes.

The malware resists attempts to terminate its process. If a user tries to terminate the process using Task Manager, BSOD occurs and system is rebooted.

Removal Recommendations

  1. Boot the system in Safe Mode.
  2. Delete the following parameter of the registry autorun key ("How to Work with System Registry"):
  3. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "indiagamcaaa" = "C:\Documents and Settings\test\Application Data\india gamcaa\indiagamcaa.exe"

  4. Delete a folder and all its contents:
  5. %Documents and Settings%\%Current User%\Application Data\india gamcaa

  6. Restore the Internet Explorer Zone settings.
  7. Delete a file:
  8. %Documents and Settings%\%Current User%\Application Data\Log.dat

  9. If required, enable UAC by setting parameter to “1”:
  10. [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA"

  11. Change account passwords that could be saved in the web browsers, IM and email clients.
  12. Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
  13.  Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").