Win32/ShipUp [Threat Name] go to Threat

Win32/ShipUp.A [Threat Variant Name]

Category trojan,worm
Size 102400 B
Aliases Trojan.Win32.ShipUp.bka (Kaspersky)
  Win32:Dropper-gen (Avast)
Short description

Win32/ShipUp.A is a worm that spreads via removable media. The worm collects various sensitive information.

Installation

When executed the worm copies itself in the following locations:

  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­VFP6.exe (102400 B, Win32/ShipUp.A)

The worm creates the following files:

  • %startup%\­VFP6.lnk
  • %startup%\­Visual Studio.lnk

These are shortcuts to files of the worm .


This causes the worm to be executed on every system start.


The worm creates the following files:

  • %personal%\­Visual Studio 2005\­MSDEV\­IDE\­MSDEV.exe (61440 B, Win32/ShipUp.A)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­ShipTr]
    • "lnk" = "WGQ7/mol"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­ShipUp]
    • "lnk" = "Wjtvbm!Tuvejp/mol"
  • [HKEY_CURRENT_UASER\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer]
    • "NoDriveTypeAutoRun" = 159
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "HideFileExt" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "CheckedValue" = 4294967295

The worm creates the following folders:

  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs
  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf
Spreading on removable media

Win32/ShipUp.A is a worm that spreads via removable media.


The worm creates the following folders:

  • %drive%\­Recycled\­
  • %drive%\­XP-Update\­

The worm creates the following files:

  • %drive%\­keybd.exe (32768 B, Win32/ShipUp.A)
  • %drive%\­Recycled\­desktop.ini
  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm creates copies of the following files (source, destination):

  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­VFP6.exe, %drive%\­XP-Update\­%variable1%
  • %personal%\­Visual Studio 2005\­MSDEV\­IDE\­MSDEV.exe, %drive%\­XP-Update\­%variable2%
  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf\­ldmap.txt, %drive%\­Recycled\­%computername%\­ldmap.txt
  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf\­ldsysinfo.txt, %drive%\­Recycled\­%computername%\­ldsysinfo.txt
  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf\­%stolenfile%, %drive%\­Recycled\­%computername%\­%stolenfile%

A string with variable content is used instead of %variable1-2% .

Information stealing

Win32/ShipUp.A is a worm that steals sensitive information.


The worm collects the following information:

  • file(s) content
  • computer name
  • computer IP address
  • operating system version
  • language settings
  • list of shared folders
  • list of running processes
  • list of files/folders on a specific drive
  • list of running processes

The data is saved in the following files:

  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf\­ldmap.txt
  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf\­ldsysinfo.txt

The worm searches for files with the following file extensions:

  • .doc
  • .docx
  • .max
  • .pdf
  • .pgp
  • .rhs
  • .rtf
  • .tif
  • .wpd

Only following folders are searched:

  • %personal%
  • %desktop%

The worm compresses each found file into a ZIP archive.


The file is stored in the following location:

  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldf\­%stolenfile%
Other information

The worm may delete the following files:

  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­Info.txt
  • %personal%\­Visual Studio 2005\­MSDEV\­FoxPro\­Docs\­ldmap.txt

Please enable Javascript to ensure correct displaying of this content and refresh this page.