Home > Threat descriptions >

Trojan-Spy:W32/Montp

Classification

Category: Malware

Type: Trojan-Spy

Aliases: Montp.F, TrojanSpy.Win32.Montp.f

Summary


A trojan that secretly installs spy programs, such as keyloggers.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Trojan-Spy:W32/Montp identifies a powerful data-stealing program that collects information from users of numerous on-line banks and sends the collected data to a hacker by uploading specially created files to an ftp server. The trojan can also download and run additional files from ftp and http servers. To disguise its actions, Montp utilizes stealth techniques. The first Montp variant was first discovered in April 2004. The last, Montp.F variant was found on 6-7th of June 2004.

Installation

The trojan's main file is a PE executable 44032 bytes long packed with PECompact file compressor. The Trojan drops a DLL file which is 241664 bytes long and is not packed. When the executable file is run, it installs itself to the system.During installation, the trojan copies its file to a folder named '\qmin\ subfolder' in the Windows System folder using a randomly generated name, for example 'adpgcjca.exe'. Then a DLL file named 'qmin2.dll' is dropped to Windows System folder and activated. This DLL is used to hook certain APIs in order to intercept HTTPS requests. It also hides the malware's files and Registry keys (stealth).

Also the 'xtempx.xxx' file is created by the Trojan in Windows System folder.

Data Theft

The dropped DLL component checks if a user opens any of the following URLs using HTTPS protocol (bank names are replaced with ):

  • .co.uk
  • .co.uk
  • .com
  • .tv
  • .com
  • .com
  • .com.au
  • .com.au
  • .com
  • .co.uk
  • .co.uk
  • .com
  • .co.uk
  • .co.uk
  • .co.uk
  • .com
  • .com.au
  • .com
  • .com
  • .co.nz
  • .com
  • .com
  • .com
  • .se
  • .com.vn
  • .com
  • .com
  • .com
  • .de
  • .com
  • .com
  • .com
  • .com.hk
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .de
  • .com.my
  • .com.my
  • .de
  • .com.au
  • .com
  • .net.au
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .de
  • .de
  • .com.hk
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .co.nz
  • .co.nz
  • .com
  • .com.au
  • .com.au
  • .com
  • .com

If a user opens any of those URLs (which mostly belong to on-line banks), the Trojan's DLL creates a file with a corresponding name. However, for several URLs the Trojan creates a file with a common name. The following files are created by the Trojan:

  • _co_uk.pst
  • _co_uk.pst
  • _com.pst
  • .pst
  • _com.pst
  • .pst
  • _com_au.pst
  • _com_au.pst
  • _com.pst
  • _CO_UK.pst
  • _CO_UK.pst
  • _COM.pst
  • _CO_UK.pst
  • _co_uk.pst
  • _co_uk.pst
  • instant1f.pst (used for several URLs)

Also the Trojan's DLL checks for URLs containing any of the following strings:

  • zwallet.com
  • .cl
  • .ru
  • .ua
  • .o2.co.uk
  • ytv.com
  • yourastrologysite.com
  • .edu
  • yes.com.hk
  • yagma.com
  • mail
  • serviticket.com
  • sierraclub.org
  • wrem.sis.yorku.ca
  • worth1000.com
  • worldwinner.com
  • delawarenorth.com
  • .bg
  • uwaterloo.ca
  • t-mobile.com
  • .ac.uk
  • willhill.com
  • bigpond.net.au
  • intel.com
  • webzdarma.cz
  • nwa.com
  • sap-ag.de
  • guidehome.com
  • microsoft.com
  • .il
  • .ust.hk
  • .fi
  • .ac.nz
  • .sk
  • .ac.at
  • unb.ca
  • ubc.ca
  • sheridanc.on.ca
  • queensu.ca
  • mcmaster.ca
  • mcgill.ca
  • carleton.ca
  • douglas.bc.ca
  • .hr
  • comcast.net
  • webassign.net
  • there.com
  • uoguelph.ca
  • uottawa.ca
  • .jp
  • ych.com
  • icq.com
  • .tw
  • watchguard.com
  • walgreens.com
  • aircanada.ca
  • ibm.com
  • opusit.com.sg
  • vutbr.cz
  • vpost.com.sg
  • .md
  • vodafone
  • virginmobileusa.com
  • virginblue.com.au
  • mcafee.com
  • videotron.com
  • victoriassecret.com
  • veloz.com
  • vasa.slsp.sk
  • .com
  • uscitizenship.info
  • uscden.net
  • usafis.org
  • yesasia.com
  • ups.com
  • ucas.co.uk
  • uwindsor.ca
  • uoguelph.ca
  • unixcore.com
  • united.intranet.ual.com
  • preschoicefinancial.com
  • yorku.ca
  • trustinternational.com
  • trust1.com
  • trivita.com
  • travelcommunications.co.uk
  • travelclub.swiss.com
  • travel.priceline.com
  • travel.com.au
  • towerhobbies.com
  • game
  • hp.com
  • iprimus.com.au
  • iinet.net.au
  • music
  • ssdcl.com.sg
  • datasvit.net
  • starhubshop.com.sg
  • 012.net
  • stanfordalumni.org
  • .cz
  • tdcwww.net
  • tmi-wwa.com
  • tm.net.my
  • tirerack.com
  • ti.com
  • ultrastar.com
  • ticketmaster.com
  • three.com.hk
  • theaa.com
  • tepore.com
  • recruitsoft.com
  • freedom.net
  • telstra.com
  • telpacific.com.au
  • techdata.com
  • quickbooks.com
  • tbihosting.com
  • inlandrevenue.gov.uk
  • symantec
  • sony
  • .kz
  • dell
  • cablebg.net
  • supergo.com
  • look.ca
  • maximonline.com
  • streamload.com
  • apple.com
  • puma.com
  • a-net.com
  • webtrendslive.com
  • gigaisp.net
  • ihost.com
  • monster.com
  • .sok
  • lanck.net
  • farlep.net
  • .kr
  • speedera.net
  • kundenserver.de
  • ingrammicro.com
  • campoints.net
  • ains.com.au
  • srp.org.sg
  • sqnet.com.sg
  • adaptec.com
  • worldgaming.net
  • sportodds.com
  • sportingbet.com
  • spiritair.com
  • swamp.lan
  • soundclick.com
  • hkuspace.org
  • soccer.com
  • solo3..fi
  • snapfish.com
  • cometsystems.com
  • flextronics.com
  • esdlife.com
  • site-secure.com
  • singaporeair.com
  • sims.sfu.ca
  • simplyhotels.com
  • singnet.com.sg
  • silicon-power.com
  • signup.sprint.ca
  • shutterfly.com
  • shopundco.com
  • zoovy.com
  • go-fia.com
  • shoppersoptimum.ca
  • shopadmin.daum.net
  • o2online.de
  • ecompanystore.com
  • shkcorpws5.shkp.com
  • sfa.prudential.com.sg
  • hku.hk
  • vodafone.co.uk
  • cic.gc.ca
  • sfgov.org
  • rogers.com
  • macau.ctm.net
  • xs4all.nl
  • sympatico.ca
  • ariba.com
  • liveperson.net
  • sephora.com
  • senecac.on.ca
  • canon-europe.com
  • xtra.co.nz
  • t-mobile.co.uk
  • selfmgmt.com
  • securitymetrics.com
  • securewebexchange.com
  • western-inventory.com
  • playstation.com
  • imrworldwide.com
  • secureserver.net
  • secureordering.com
  • imrworldwide.com
  • securecart.net
  • wn.com.au
  • webeweb.net
  • mgm-mirage.com
  • w2express.com
  • vandyke.com
  • ubi.com
  • tsn.cc
  • trekblue.com
  • tickle.com
  • thewheelconnection.com
  • telusmobility.com
  • starbiz.net.sg
  • sparknotes.com
  • sparkart.com
  • sms.ac
  • billerweb.com
  • shaw.ca
  • safesite.com
  • register.com
  • oztralia.com
  • ordering.co.uk
  • orcon.net
  • optusnet.com.au
  • onlineaccess.net
  • oberon-media.com
  • nzqa.govt.nz
  • novuslink.net
  • nike.com.hk
  • netspeed.com.au
  • netfirms.com
  • netbilling.com
  • nai.com
  • nacelink.com
  • mysylvan.com
  • mouse2mobile.com
  • .com.au
  • lkw-walter.com
  • kent.net
  • reuters.com
  • intuitcanada.com
  • infusion-studios.com
  • indigosp.com
  • idx.com.au
  • hotbar.com
  • hostdozy.com
  • hilton.com
  • gevalia.com
  • fredericks.com
  • ezpeer.com
  • europeonline.com
  • e-registernow.com
  • emetrix.com
  • elsevier
  • element5.com
  • elance.com
  • earthport.com
  • directsex.com
  • directnic.com
  • deluxepass.com
  • delias.com
  • konetic.org
  • customersvc.com
  • c1hrapps.com
  • bnpparibas.net
  • .com
  • bearshare.com
  • authorize.net
  • advisor.com
  • adultfriendfinder.com
  • acadiau.ca
  • yimg.com
  • sebra.com
  • seatbooker.net
  • searchfit.org
  • eutelsat.net
  • carleton.ca
  • upjs.sk
  • scicollege.org.sg
  • sciamdigital.com
  • ebay
  • s-central.com.au
  • sbc.com
  • samsunggsbn.com
  • sammikk.com

Information from webpages intercepted this way is collected in the file named 'global1f.pst'. The trojan's EXE file then processes PST files created by the DLL component, except for the files 'instant1f.pst' and 'global1f.pst', which are uploaded to an FTP site 'as is'.

After processing the PST files created for certain banks, the Trojan creates corresponding .INI files with such information as user's name, customer ID, date of birth, passwords, PINs, account numbers and other important information. The following files are created after processing of bank-related PST files:

  • _co_uk.ini
  • .ini
  • _co_uk.ini
  • .ini
  • .ini
  • .ini
  • .ini
  • .ini
  • _co_au.ini
  • .ini
  • .ini
  • .ini
  • .ini
  • .ini

The files with collected data are uploaded to an ftp site to directories named 'MAIN', 'FILT' and 'SPAM'. Sorted stolen data from major banks stored in .INI files is uploaded to the 'MAIN' folder, data stolen from other banks, stored in 'instant1f.pst' file is uploaded to 'FILT' folder and finally the 'global1f.pst' file with data collected from different URLs is uploaded to SPAM folder.

Payload

Montp modifies the HOSTS file to redirect the domain name 'web.da-us.citibank.com' to the IP address 66.98.244.59.

The malware attempts to download and run a file named 'update8.exe' from the 'www.projecx.net' website. At the moment of creation of this description, that file was not accessible any more. Additionally the Trojan attempts to download and run the file named 'update.exe' from an ftp server where the trojan uploads stolen data.

The trojan also sets 'about:blank' page as IE startup page.

Montp looks for and terminates processes with the following names:

  • ARMOR2NET.EXE
  • SAVSCAN.EXE
  • NPROTECT.EXE
  • NVSVC32.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JEDI.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

Most of these names belong to anti-virus and firewall software.

Registry Changes

The startup key is created for the Trojan's executable file in the Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "qmin" = "%WinSysDir"\qmin\.exe"

Additionally, the Trojan creates the following Registry keys:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion] "qmin"
  • [HKCU\Software\Microsoft\Windows\] "qmax"

The last key is set at the beginning of data stealing process and then deleted.

Description Created: 2006-01-01 10:22:45.0

Description Last Modified: 2010-08-20 06:09:39.0