Virus

Backdoor.Powerspider

Analysis

  • Threat is 32bit with a compressed size of 46,080 bytes
  • Trojan has intent to steal passwords and email them to the author of the Trojan
  • If Trojan is run, it may write itself to the Windows\System folder as
    “IEXPLORE .EXE” <= note there is a space before the period
  • Virus modifies the registry to load this Trojan at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    ”mssysint” = IEXPLORE .EXE
  • Virus modifies the registry to allow remote access by the Trojan –
    HKEY_CLASSES_ROOT\Interface\
    {03022430-ABC4-11D0-BDE2-00AA001A1953}\
    "(Default)" = IAccessibleHandler
    HKEY_CLASSES_ROOT\Interface\
    {03022430-ABC4-11D0-BDE2-00AA001A1953}\ProxyStubClsid\
    "(Default)" = {00020424-0000-0000-C000-000000000046}

    HKEY_CLASSES_ROOT\Interface\
    {03022430-ABC4-11D0-BDE2-00AA001A1953}\ProxyStubClsid32\
    "(Default)" = {00020424-0000-0000-C000-000000000046}

    HKEY_CLASSES_ROOT\Interface\
    {03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib\
    "(Default)" = {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}
    "Version" = 1.1

    HKEY_CLASSES_ROOT\TypeLib\
    {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\
    "(Default)" = Accessibility

    HKEY_CLASSES_ROOT\TypeLib\
    {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
    "(Default)" = oleacc.dll

    HKEY_CLASSES_ROOT\TypeLib\
    {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\FLAGS\
    "(Default)" = 4

    HKEY_CLASSES_ROOT\TypeLib\
    {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\HELPDIR
    ”(Default)" = C:\WINDOWS\SYSTEM

    HKEY_CLASSES_ROOT\ZPwd_box\
    ”tmUpgrade_p" = A7, 01, D8, 3E

  • Trojan may attempt to download another Trojan with a file name “pwdbox101.exe” from a website on the “bizcn.com” domain