This malware is also mentioned in our Labs Weblog:
The actual exploit is performed by a shortcut (.LNK) file detected as Exploit:W32/Wormlink.B. On execution, the exploit loads the downloader component (the actual file detected as Trojan-Downloader:W32/Chymine.A) from a shared folder shared over the Internet:
Which in turn downloads an EXE file (detected as Trojan-Spy:W32/Chymine.A) from a remote site:
To a temporary file. During execution, the malware creates a file on the system, where the downloaded bin.exe file drops a DLL file, the actual keylogger component. In the sample we analyzed, the created file was:
The file name, in this instance , may be a random number. This DLL component (and its file) is also detected as Trojan-Spy:W32/Chymine.A.
In order to run, the keyloggger component makes changes to a number of registry keys and injects code into a number of processes. The malware also creates the following launchpoints, which are involved in launching the keylogger component:
- HKLM\SYSTEM\CurrentControlSet\Services\Iprip\Parameters ServiceDll = .\5250~1\ by %windir%\system32\rundll32.exe [Launchpoint: ServiceDll]
- HKLM\System\CurrentControlSet\Services\Iprip ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs by %windir%\system32\services.exe [Launchpoint: Service]