F-Secure
Tools
Trojan-Spy:W32/Small.BSL
| Name : | Trojan-Spy:W32/Small.BSL |
| Category: | Malware |
| Type: | Trojan-Spy |
| Platform: | W32 |
Summary
Trojan-Spy applications are usually standalone programs that allow malicious individuals to monitor activity on infected computers.
Trojan-Spy:Win32.Small.BSL installs a component designed to steal installed certificates.
Trojan-Spy:Win32.Small.BSL installs a component designed to steal installed certificates.
Additional Details
Creates the following registry entries:
It attempts to create the following registry entry:
It then drops a file into the following folder:
The dropped file is called acrobat.dll and is 51712 bytes in size.
The malware sets acrobat.dll with a hidden file attribute and changes its date properties to the current system time.
Small.BSL then displays the following fake/decoy dialog message:
When the dialog box is closed the malware will search for and terminate all running Internet Explorer processes. After this, it will launch Internet Explorer as a hidden process which has the malicious component attached.
This malicious component acts like a Browser Helper Object (BHO).
After the user has started Internet Explorer the malware will attempt to communicate with a server located at the following URL:
The BHO has the following functionality:
• HKEY_CLASSES_ROOT\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32
(Default) = "C:\WINDOWS\system32\acrobat.dll"
ThreadingModel = "Apartment"
(Using the name, Adobe Acrobat ActiveX Control)
(Default) = "C:\WINDOWS\system32\acrobat.dll"
ThreadingModel = "Apartment"
(Using the name, Adobe Acrobat ActiveX Control)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}
NoExplorer = 0x00000001 (1)
\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}
NoExplorer = 0x00000001 (1)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Acrobat ActiveX Control = "Rundll32 acrobat.dll,AInit"
Adobe Acrobat ActiveX Control = "Rundll32 acrobat.dll,AInit"
It attempts to create the following registry entry:
• HKEY_LOCAL_MACHINE\Software\Acrobat\
"1" = "124.217.251.118"
"2" = 0x00000050 (80)
"3" = /NNN/parse.php
"1" = "124.217.251.118"
"2" = 0x00000050 (80)
"3" = /NNN/parse.php
It then drops a file into the following folder:
• %windir%\system32\
The dropped file is called acrobat.dll and is 51712 bytes in size.
The malware sets acrobat.dll with a hidden file attribute and changes its date properties to the current system time.
Small.BSL then displays the following fake/decoy dialog message:
When the dialog box is closed the malware will search for and terminate all running Internet Explorer processes. After this, it will launch Internet Explorer as a hidden process which has the malicious component attached.
This malicious component acts like a Browser Helper Object (BHO).
After the user has started Internet Explorer the malware will attempt to communicate with a server located at the following URL:
• http://124.217.[REMOVED]/NNN/parse.php
The BHO has the following functionality:
• Steals installed certificates
• Deletes user cookie files
• Updates itself
• Deletes files from C:\Documents and Settings
\%username%\Application Data\Macromedia\Flash Player\
\%username%\Application Data\Macromedia\Flash Player\
• Updates registry information