Home / malwarePDF  

Win32/Claretore


First posted on 10 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Claretore.

Explanation :

Win32/Claretore is a trojan that injects malicious code into Windows processes to interecept web browser communication, and may monitor user activity and send stolen information to a remote website. The trojan could also redirect the web browser to an attacker-specified URL.


Top

Win32/Claretore is a trojan that injects malicious code into Windows processes to interecept web browser communication, and may monitor user activity and send stolen information to a remote website. The trojan could also redirect the web browser to an attacker-specified URL.



Installation

When run, it drops a copy of itself with 'hidden' and 'system' file attributes as the following:

  • %HOMEPATH%\< random character string >-< random character string >.exe (example: "C:\Documents and Settings\Administrator\ec3fd7c0-0.exe")
  • %TEMP%\< random character string >.tmp (example: "C:\Documents and Settings\Administrator\Local Settings\Temp\1455b34a-0.tmp")


The registry is modified to run the trojan at each Windows start as in the following example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update Server"
With data: "C:\Documents and Settings\Administrator\ec3fd7c0-0.exe"

It may delete itself after installation using MoveFileEx() API that effectively modifies the following registry entry:

In subkey: HKLM\Machine\System\CurrentControlSet\Control\Session Manager
Sets value: "PendingFileRenameOperations"
With data: "%Temp%\<random>.tmp"

It creates several threads to monitor and protect changes in its components such as registry entries and file components by calling RegNotifyChangeKeyValue() and ReadDirectoryChangesW() APIs.

Win32/Claretore injects its code as a DLL into every running process with "kernel32.dll" loaded, for example:

  • explorer.exe
  • csrss.exe
  • winlogon.exe
  • services.exe
  • lsass.exe
  • svchost.exe


This method allows the malware to support being installed on Windows 2000 operating systems and helps in hiding the malware so that it is does not appear present when viewing running processes using Windows Task Manager.



Payload

Intercepts web browser communication

Win32/Claretore hooks the following functions in "mswsock.dll" to intercept the browser's Internet communication:

  • WSPCloseSocket
  • WSPSend
  • WSPRecv


The trojan then intercepts every website accessed that also has contains a reference to Google Analytics JavaScript, and replaces the legitimate code with code from an attacker-supplied URL. This may result in fake Google Analytics results and/or inflated advertisement click counts.

For example, a variant of Win32/Claretore was observed to replace references to the Google Analytics JavaScript "google-analytics.com/ga.js" with "<removed>in-f108.com/ga.js", allowing attacker-specified code to execute.

Communicates with a remote server

Win32/Claretore sends the following details about the affected computer, encrypted using MD5, to an attacker-supplied URL:

  • Machine GUID
  • User logon account name
  • Computer name
  • Windows install date
  • Disk identifier




Analysis by Tim Liu

Last update 10 April 2012

 

TOP

Malware :