Win32/Boychi [Threat Name] go to Threat

Win32/Boychi.A [Threat Variant Name]

Category worm
Size 1043456 B
Detection created Jul 27, 2012
Detection database version 7333
Aliases Win32/Boychi.A (Microsoft)
  Trojan.Dropper (Symantec)
  Variant.Kazy.81085 (BitDefender)
Short description

Win32/Boychi.A is a worm that steals passwords and other sensitive information. The worm attempts to send gathered information to a remote machine. It uses techniques common for rootkits.

Installation

When executed, the worm creates the following files:

  • %localsettings%\­jlc3V7we\­IZsROY7X.-MP
  • %localsettings%\­jlc3V7we\­t2HBeaM5.OUk
  • %localsettings%\­jlc3V7we\­WeP1xpBU.wA-
  • %localsettings%\­jlc3V7we\­6EaqyFfo.zIK
  • %localsettings%\­jlc3V7we\­eiYNz1gd.Cfp
  • %localsettings%\­jlc3V7we\­lUnsA3Ci.Bz7

The worm may create copies of the following files (source, destination):

  • %system%\­pstorec.dll, %localsettings%\­jlc3V7we\­hypn4cqI.HSC
  • %mozillafirefoxrootfolder%\­mozcrt19.dll, %localsettings%\­jlc3V7we\­mozcrt19.dll
  • %mozillafirefoxrootfolder%\­mozutils.dll, %localsettings%\­jlc3V7we\­mozutils.dll
  • %mozillafirefoxrootfolder%\­mozglue.dll, %localsettings%\­jlc3V7we\­mozglue.dll
  • %mozillafirefoxrootfolder%\­nspr4.dll, %localsettings%\­jlc3V7we\­nspr4.dll
  • %mozillafirefoxrootfolder%\­plds4.dll, %localsettings%\­jlc3V7we\­plds4.dll
  • %mozillafirefoxrootfolder%\­plc4.dll, %localsettings%\­jlc3V7we\­plc4.dll
  • %mozillafirefoxrootfolder%\­nssutil3.dll, %localsettings%\­jlc3V7we\­nssutil3.dll
  • %mozillafirefoxrootfolder%\­sqlite3.dll, %localsettings%\­jlc3V7we\­sqlite3.dll
  • %mozillafirefoxrootfolder%\­mozsqlite3.dll, %localsettings%\­jlc3V7we\­mozsqlite3.dll
  • %mozillafirefoxrootfolder%\­softokn3.dll, %localsettings%\­jlc3V7we\­softokn3.dll
  • %mozillafirefoxrootfolder%\­nss3.dll, %localsettings%\­jlc3V7we\­nss3.dll
  • %mozillafirefoxrootfolder%\­freebl3.dll, %localsettings%\­jlc3V7we\­freebl3.dll
  • %mozillafirefoxrootfolder%\­nssdbm3.dll, %localsettings%\­jlc3V7we\­nssdbm3.dll

Installs the following system drivers:

  • %systemroot%\­system32\­drivers\­ndisk.sys

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "*J7PugHy" = "%system%\­rundll32.exe "%localsettings%\­jlc3V7we\­IZsROY7X.-MP",F1dd208"

The worm creates and runs a new thread with its own program code in all running processes.

Information stealing

The worm gathers e-mail addresses from all local files.


Win32/Boychi.A tries to obtain information from the contact list of the affected user.


The worm collects information related to the following applications:

  • Microsoft Internet Explorer
  • Mozilla Firefox
  • Opera
  • Google Chrome
  • Microsoft Outlook
  • Mozilla Thunderbird
  • Windows Live Mail
  • Paltalk
  • Googletalk
  • Trillian
  • Skype

The following information is collected:

  • screenshots
  • a list of recently visited URLs
  • data from the clipboard
  • e-mail addresses
  • Windows Protected Storage passwords and credentials
  • information about the operating system and system settings
  • list of running processes
  • login user names for certain applications/services
  • login passwords for certain applications/services

The worm attempts to send gathered information to a remote machine. The worm contains a list of (1) IP addresses.

Other information

The worm hides its presence in the system.


It can execute the following operations:

  • various file system operations
  • log keystrokes
  • capture webcam video/voice
  • capture screenshots
  • spread via IM networks
  • create copies of itself on mobile devices (Microsoft Windows CE), USB drives, VMware systems

The worm hooks the following Windows APIs:

  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • CreateProcessAsUserW (kernel32.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • ReadDirectoryChangesW (kernel32.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • NtDeviceIoControlFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryKey (ntdll.dll)
  • SendMessageW (user32.dll)
  • SetWindowTextW (user32.dll)
  • CreateWindowExA (user32.dll)
  • CreateWindowExW (user32.dll)
  • waveOutWrite (winmm.dll)
  • waveInAddBuffer (winmm.dll)
  • SendMessageTimeoutA (user32.dll)
  • SendMessageTimeoutW (user32.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • CreateFileW (kernel32.dll)
  • DeleteFileW (kernel32.dll)
  • MoveFileW (kernel32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • ImmGetCompositionStringW (imm32.dll)
  • ReadConsoleInputA (kernel32.dll)
  • ReadConsoleInputW (kernel32.dll)
  • ReadConsoleA (kernel32.dll)
  • ReadConsoleW (kernel32.dll)
  • ReadConsoleInputExA (kernel32.dll)
  • ReadConsoleInputExW (kernel32.dll)
  • CreateDCW (gdi32.dll)
  • CreateDCA (gdi32.dll)
  • DeleteDC (gdi32.dll)
  • StartDocW (gdi32.dll)
  • StartDocA (gdi32.dll)
  • StartPage (gdi32.dll)
  • EndPage (gdi32.dll)
  • EndDoc (gdi32.dll)
  • SetAbortProc (gdi32.dll)
  • GetDeviceCaps (gdi32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.