Win32/Equdrug [Threat Name] go to Threat
Win32/Equdrug.I [Threat Variant Name]
Category | trojan |
Size | 573440 B |
Aliases | Trojan.Grayphish (Symantec) |
Troj/Eqdrug-H (Sophos) | |
TrojanDropper:Win32/Fetrog.A (Microsoft) |
Short description
Win32/Equdrug.I is a trojan that steals sensitive information. The trojan can send the information to a remote machine. It can be controlled remotely.
Installation
The trojan does not create any copies of itself.
The trojan creates the following files:
- %systemroot%\system32\drivers\hrilib.sys
- %systemroot%\system32\drivers\msndsrv.sys
- %systemroot%\system32\drivers\ntevt.sys
- %temp%\INSTV4.BAT
- %systemroot%\temp\~yh56816.tmp
- %systemroot%\fonts\VGAFIXA1.FON
- C:\Windows\Temp\~yh56816.tmp
Installs the following system drivers (path, name):
- %systemroot%\system32\drivers\hrilib.sys, hrilib
- %systemroot%\system32\drivers\msndsrv.sys, msndsrv
- %systemroot%\system32\drivers\ntevt.sys, ntevt
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hrilib]
- "DisplayName" = "hrilib"
- "ErrorControl" = 1
- "ImagePath" = "system32\Drivers\hrilib"
- "Start" = 2
- "Type" = 1
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msndsrv]
- "Config2" = %variable1%
- "DisplayName" = "msndsrv"
- "ErrorControl" = 1
- "Start" = 2
- "Type" = 1
- "ImagePath" = "system32\Drivers\msndsrv"
- "Group" = "SCSI Class"
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ntevt]
- "DisplayName" = "ntevt"
- "ErrorControl" = 1
- "Start" = 0
- "Type" = 1
- "ImagePath" = "system32\Drivers\ntevt"
A string with variable content is used instead of %variable1% .
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys]
- "{42E14DD3-F07A-78F1-7659-26AE141569AC-E0B3EE89}" = %malwareconfigurationdata1%
- "{A0CCDC61-7623-A425-7002-DB81F353945F-5A8ECFAD}" = %malwareconfigurationdata2%
- "{08DAB849-0E1E-A1F0-DCF1-457081E091DB-117DB663}" = %malwareconfigurationdata3%
- "1" = %malwareconfigurationdata4%
- "D" = %malwareconfigurationdata5%
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hrilib\Parameters]
- "Data" = %encryptedmalwarefileoritscomponent1%
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable2%\Parameters]
- "%variable3%" = %encryptedmalwarefileoritscomponent2%
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable4%\Parameters]
- "%variable5%" = %encryptedmalwarefileoritscomponent3%
- [HKEY_LOCAL_MACHINE\SYSTEM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\%variable6%]
- "%variable7%" = %encryptedmalwarefileoritscomponent4%
A string with variable content is used instead of %variable2-7% .
The following Registry entries are set:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1A03" = %value1%
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "ProxyServer" = %value2%
- "ProxyEnable" = %value3%
- "ProxyOveride" = %value4%
- "AutoConfigURL" = %value5%
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\%variable8%\Linkage]
- "UpperBind" = %value6%
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%variable9%\Linkage]
- "Route" = %value7%
- "Bind" = %value8%
- "Export" = %value9%
A string with variable content is used instead of %variable8-9% .
A variable numerical value or a string with variable content is used instead of %value1-9% .
The following file is dropped into the %temp% folder:
- INSTV4.BAT
The file is then executed.
To gain administrator access rights it attempts to exploit one of the following vulnerabilities:
* Windows Kernel Pointer Validation Vulnerability- CVE-2009-1124
* Windows Driver Class Registration Vulnerability - CVE-2009-1125
By exploiting this vulnerability, an attacker may be able to execute remote arbitrary code on a vulnerable system.
The trojan creates and runs a new thread with its own program code within the following processes:
- services.exe
The trojan executes the following files:
- %system%\cmd.exe
- %windir%\command.com
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Equdrug.I is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- list of running processes
- network adapter information
- operating system version
- computer name
- user name
- language settings
- list of disk devices and their type
- memory status
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- monitor network traffic
- create Registry entries
- delete Registry entries
- various filesystem operations
- terminate running processes
- send gathered information
The trojan hooks the following Windows APIs:
- NdisMRegisterMiniport (ndis.sys)
- NdisMSendComplete (ndis.sys)
- EthFilterDprIndicateReceive (ndis.sys)
- socket (ws2_32.dll)
- closesocket (ws2_32.dll)
- bind (ws2_32.dll)
- connect (ws2_32.dll)
- send (ws2_32.dll)
- recv (ws2_32.dll)
- listen (ws2_32.dll)
- accept (ws2_32.dll)
- setsockopt (ws2_32.dll)
- getsockopt (ws2_32.dll)
- getsockname (ws2_32.dll)
- gethostbyaddr (ws2_32.dll)
- gethostbyname (ws2_32.dll)
- gethostname (ws2_32.dll)
- getaddrinfo (ws2_32.dll)
- getnameinfo (ws2_32.dll)
- getpeername (ws2_32.dll)
- shutdown (ws2_32.dll)
- ioctlsocket (ws2_32.dll)
- select (ws2_32.dll)
- sendto (ws2_32.dll)
- recvfrom (ws2_32.dll)
- WSADuplicateSocketA (ws2_32.dll)
- WSASocketA (ws2_32.dll)
The trojan might attempt to hide its presence in the system.
It uses techniques common for rootkits.