Win32/AutoRun.Spy.Ambler [Threat Name] go to Threat

Win32/AutoRun.Spy.Ambler.CI [Threat Variant Name]

Category trojan,worm
Size 68096 B
Detection created Dec 19, 2010
Detection database version 5716
Aliases Trojan.Win32.Agent2.czrl (Kaspersky)
  Worm:Win32/Ambler.A (Microsoft)
  Trojan.Siggen2.12163 (Dr.Web)
Short description

Win32/Autorun.Spy.Ambler.CI is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %appdata%\­Sun\­fkhneec.dll (36352 B)
  • %appdata%\­Sun\­wsfxq
  • %appdata%\­Sun\­fkhneec_shrd

The trojan may create the following files:

  • %appdata%\­Sun\­crff.txt
  • %appdata%\­Sun\­xkelf.txt
  • %appdata%\­Sun\­ffefx.txt
  • %appdata%\­Sun\­rwbbr.txt
  • %appdata%\­Sun\­cetw.txt
  • %appdata%\­Sun\­vntw.txt
  • %appdata%\­Sun\­vwvn.txt
  • %appdata%\­Sun\­lfmt.txt
  • %appdata%\­Sun\­cngrh.txt
  • %appdata%\­Sun\­mogr.txt
  • %appdata%\­Sun\­oietr.txt
  • %appdata%\­Sun\­mxd1.txt

The trojan loads and injects the %appdata%\fkhneec.dll library into the following processes:

  • iexplore.exe
  • firefox.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "lpc" = "rundll32.exe "%appdata%\­Sun\­fkhneec.dll", RegisterDll"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{24EA4F28-B636-43C1-BCE6-F287B56E42D2}]
    • "(Default)" = "Transaction Manager"
    • "Locale" = "EN"
    • "StubPath" = "rundll32.exe "%AppData%\­Sun\­fkhneec.dll", UnregisterDll"
    • "IsInstalled" = 1
    • "Version" = "4,3,6,3"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Clock]
    • "D1" = 79 74 7D 71 7C 62 7C 74 66 64 70 78 26 76 73 3A 7C 78 72 7A 39 7A 70 61 72 7A 7A 70 70 64
    • "D2" = 66 70 65 26
    • "D3" = 66 70 65 27
    • "pr" = 7C 61 62 64 2F 39 3B 6F 7E 7B 72 72 7D 74 78 75 3B 7F 7A 73 79 3B 7B 73 63 73 79 78 71 73 66
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Clock\­0]
    • "knhbc" = "17052011_034509_105437"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "TabProcGrowth" = 0
    • "NoProtectedModeBanner" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Security]
    • "DisableFixSecuritySettings" = 1
    • "DisableSecuritySettingsCheck" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "Enabled" = 0
    • "EnabledV8" = 0
    • "ShownVerifyBalloon" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3
Other information

The trojan collects sensitive information when the user browses certain web sites.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. The HTTP protocol is used.


It can execute the following operations:

  • run executable files
  • log keystrokes
  • steal information from the Windows clipboard
  • remove itself from the infected computer
  • delete cookies
  • send gathered information

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • cookies
  • digital certificates

The collected information is stored in the following file:

  • %appdata%\­Sun\­crff.txt

The trojan may delete the following files:

  • C:\­NTDETECT.COM
  • C:\­ntldr
  • %appdata%\­Sun\­crff.txt
  • %appdata%\­Sun\­xkelf.txt
  • %appdata%\­Sun\­ffefx.txt
  • %appdata%\­Sun\­rwbbr.txt
  • %appdata%\­Sun\­cetw.txt
  • %appdata%\­Sun\­vntw.txt
  • %appdata%\­Sun\­vwvn.txt
  • %appdata%\­Sun\­lfmt.txt
  • %appdata%\­Sun\­cngrh.txt
  • %appdata%\­Sun\­mogr.txt
  • %appdata%\­Sun\­oietr.txt
  • %appdata%\­Sun\­mxd1.txt

Please enable Javascript to ensure correct displaying of this content and refresh this page.