Home / malwarePDF  

Trojan:Win32/Urelas.C


First posted on 06 December 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Urelas.C is also known as Win32/Urelas.F (ESET), PAK_Packman (Trend Micro), TR/Gupboot.987721 (Avira), Trojan.AVKill.24205 (Dr.Web), Trojan.Gupboot!4A23 (Rising AV), Trojan.Malcol (Symantec), Trojan.Win32.Urelas (Ikarus), Trojan/Win32.PbBot (AhnLab).

Explanation :



Trojan:Win32/Urelas.C is a trojan that monitors certain card game applications and sends screenshots and information about your computer to a remote server. It also drops Trojan:Win32/Urelas.A which performs the same payload.

You may inadvertently download the trojan, thinking it is a program related to a card game.

Installation

In the wild, we have observed Trojan:Win32/Urelas.C downloaded with the following file names:

  • MkUpdate.exe
  • setup.exe


When run, the trojan drops the following files in the <system folder>:

  • golfinfo.ini - this file may be used to store information captured by the trojan
  • gbp.ini - this file contains the remote server's address that the trojan connects to
  • <random>.exe, for example "lyycofez.exe" - also detected as Trojan:Win32/Urelas.C
  • <random>.dll, for example "lymucexuc.dll" - detected as Trojan:Win32/Urelas.A


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

It also drops the file "_uninsep.bat" to the %TEMP% folder, which is a malware batch file that removes the original trojan's executable (EXE) file.

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Trojan:Win32/Urelas.C modifies the following registry entries to ensure that it runs at each Windows start:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<malware service name>\Parameters, for example "HKLM\SYSTEM\CurrentControlSet\Services\Jiuswan\Parameters
Sets Value: "ServiceDll"
With data: "<system folder>\<random>.dll", for example "C:\Windows\System32\lymucexuc.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "<random name>", for example "Hiceegdiyfp"
With data: "<malware service name>", for example "Jiuswan"



Payload

Monitors processes

Trojan:Win32/Urelas.C monitors the following processes that belong to certain card games:

  • baduki.exe
  • DuelPoker.exe
  • FNF.exe
  • highlow2.exe
  • HOOLA3.EXE
  • LASPOKER.exe
  • poker7.exe


Gathers and uploads information to a remote server

The trojan gathers the following information if any of the processes are found:

  • Screenshots of the gaming window
  • Your computer's name


Trojan:Win32/Urelas.C sends this information to a remote server. We have observed it attempting to contact the following servers:

  • 113.30. <removed>.<removed>
  • 27.125 .<removed>.36
Related encyclopedia entries

Trojan:Win32/Urelas.A



Analysis by Marianne Mallen

Last update 06 December 2012

 

TOP

Malware :

Family: