Home / malware

PDF

Trojan:Win32/Bublik.B

First posted on 05 May 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Bublik.B is also known as PWS-Zbot.gen.xj (McAfee), Troj/BredoZp-IP (Sophos).

Explanation :

Trojan:Win32/Bublik.B is a trojan that monitors and steals login credentials for online banking and other financial institutions. The trojan also forces the use of Internet Explorer if another web browser is launched on the affected computer.



Installation

Trojan:Win32/Bublik.B has been observed being distributed as an email attachment with the subject "Booking confirmation" and spoofed from an address from "booking.com". The attached file may be a ZIP archive such as "From-Booking-Com_Reservation-Details04261270703.zip".

If Trojan:Win32/Bublik.B is run, it drops a copy of the trojan as a randomly named file into the Windows system folder, as in the following examples:

• %windir%\System32\B48A1CB38B4C5E5D18A.exe
• %windir%\System32\defp.exe

It modifies the registry to execute the dropped malware copy when the Windows system executable "userinit.exe" runs, which occurs during Windows start.

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
Sets value: "Debugger"
With data: "<malware file name>" (e.g. "B48A1CB38B4C5E5D18A.exe")

To hide its presence, the trojan executes its payload in the context of the system process "csrss.exe". Trojan:Win32/Bublik.B also creates a random registry subkey with binary data, as in the following example:



In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\<version>\1D01061D\
Sets value: "(default)"
With data: ".0z._b¨Ã½nñãåíýdé¥..xgcèo)sìt.r!.þ.~¤.ïð«1...ó.86.!9qx5°.qò.ýûé\´½Ã¯{î....$/çznr.eµ.&ç.±.û<.óð%äc.âvfc./ð.qi×.|ó.¬¸Ã¤uòà ø..).êm..|q.^n¬Ãµ«xæ.é¡Ã¯#...Ã¥lfw.s8.y*ê.e..üíç&õí...q.·.[%Ã¥^õ#.¹Ã¤Ãº.æ·-ñwz.¬¥Ã­onz"



Payload

Modifies Internet settings

Trojan:Win32/Bublik.B disables the use of an Internet proxy by changing registry data.

In subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "ProxyEnable"
With data: "0"

Disables programs

Trojan:Win32/Bublik.B disables the use of the following web browsers and executes Internet Explorer instead:

• Google Chrome
• Netscape Navigator
• Opera
• Safari

Monitors and steals user credentials

The trojan injects code into the following processes for the purpose of stealing user credentials:

• thebat.exe
• msimn.exe
• iexplore.exe
• explorer.exe
• myie.exe
• firefox.exe
• mozilla.exe
• avant.exe
• maxthon.exe
• OUTLOOK.EXE
• ftpte.exe
• coreftp.exe
• filezilla.exe
• TOTALCMD.EXE
• cftp.exe
• FTPVoyager.exe
• SmartFTP.exe
• WinSCP.exe

Communicates with a remote server

This trojan gathers information about the affected computer, including:

• Operating system version
• Network configuration
• Windows Address Book
• Captured user credentials

Trojan:Win32/Bublik.B contacts one of the following remote servers to send the collected information and receive further instructions from an attacker:

• safeoil.net
• armyclub.netquickring.net
• quickring.net
• genubajom.servegame.com
• tekiharob.sytes.net
• rivadolti.sendsmtp.com

Analysis by Horea Coroiu

Last update 05 May 2012

 

TOP