Home / malware W32.Liberpy
First posted on 18 July 2015.
Source: SymantecAliases :
There are no other names known for W32.Liberpy.
Explanation :
The worm may arrive on the compromised computer through removable drives.
When the worm is executed, it creates the following files:
%Temp%\_MEI[RANDOM NUMBER]\Crypto.Cipher._AES.pyd%Temp%\_MEI[RANDOM NUMBER]\_ctypes.pyd%Temp%\_MEI[RANDOM NUMBER]\_socket.pyd%Temp%\_MEI[RANDOM NUMBER]\pyexpat.pyd%Temp%\_MEI[RANDOM NUMBER]\_ssl.pyd%Temp%\_MEI[RANDOM NUMBER]\msvcp90.dll%Temp%\_MEI[RANDOM NUMBER]\msvcr90.dll%Temp%\_MEI[RANDOM NUMBER]\python27.dll%Temp%\_MEI[RANDOM NUMBER]\select.pyd%Temp%\_MEI[RANDOM NUMBER]\unicodedata.pyd%Temp%\_MEI[RANDOM NUMBER]\PIL._imaging.pyd%Temp%\_MEI[RANDOM NUMBER]\mfcm90.dll%Temp%\_MEI[RANDOM NUMBER]\Liberty1-0.exe.manifest%Temp%\_MEI[RANDOM NUMBER]\Microsoft.VC90.MFC.manifest%Temp%\_MEI[RANDOM NUMBER]\bz2.pyd%Temp%\_MEI[RANDOM NUMBER]\_hashlib.pyd%Temp%\_MEI[RANDOM NUMBER]\Microsoft.VC90.CRT.manifest%Temp%\_MEI[RANDOM NUMBER]\msvcm90.dll%Temp%\_MEI[RANDOM NUMBER]\mfcm90u.dll%Temp%\_MEI[RANDOM NUMBER]\mfc90u.dll%Temp%\_MEI[RANDOM NUMBER]\_win32sysloader.pyd%Temp%\_MEI[RANDOM NUMBER]\mfc90.dll%Temp%\tmp[RANDOM CHARACTERS]\gen_py\dicts.dat%Temp%\tmp[RANDOM CHARACTERS]\gen_py\__init__.py%Temp%\_MEI[RANDOM NUMBER]\win32wnet.pyd%Temp%\_MEI[RANDOM NUMBER]\win32ui.pyd%Temp%\_MEI[RANDOM NUMBER]\win32trace.pyd%Temp%\_MEI[RANDOM NUMBER]\include\pyconfig.h%Temp%\_MEI[RANDOM NUMBER]\win32pipe.pyd%Temp%\_MEI[RANDOM NUMBER]\win32file.pyd%Temp%\_MEI[RANDOM NUMBER]\win32api.pyd%Temp%\_MEI[RANDOM NUMBER]\pywintypes27.dll%Temp%\_MEI[RANDOM NUMBER]\pythoncom27.dll%Temp%\_MEI[RANDOM NUMBER]\pyHook._cpyHook.pyd%Temp%\_MEI[RANDOM NUMBER]\include\pyconfig.h%Temp%\_MEI[RANDOM NUMBER]\eggs\pyperclip-1.5.4-py2.7.egg
The worm will check to make sure it is the only instance running.
The worm creates a copy of itself in the following location:
%SystemDrive%\MSDcache\Liberty[VERSION NUMBER].exe
The worm opens a back door on the compromised computer, and connects to one of the following locations:
[http://]siyofuerarico.ddns.net[http://]sapolipon.ddns.net[http://]puchiupload.ddns.net[http://]puchiupdate.ddns.net[http://]rokitupload.ddns.net[http://]rokitupdate.ddns.net[http://]siyofuerarico.ddns.net[http://]sapolipon.ddns.net[http://]frederickupload.ddns.net[http://]frederickupdate.ddns.net[http://]siyofuerarico.ddns.net[http://]sapolipon.ddns.net
The worm checks for updates to itself, as well as other executables, and downloads them, if necessary, every two minutes.
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Liberty[VERSION NUMBER].exe" = "%SystemDrive%\MSDcache\Liberty[VERSION NUMBER].exe"
Note: [VERSION NUMBER] may be any of the following:
1-02-02-1
The worm will then check if there is any data to be sent to one of it's command-and-control (C&C) servers.
The worm will hook the keyboard and mouse events so it can log keystrokes and mouse movements.
The worm will capture keystrokes and screenshos when the active window has any of the following strings in its name:
Banesco OnlineBanescOnline
The worm saves the stolen information in the following hidden directory:
%SystemDrive%\MSDcache\system\system
The worm then sends this stolen information back to its C&C servers every minute.
The worm may copy itself to removable drives as the following file:
%RemovableDrive%\MSDcache\Liberty[VERSION NUMBER].exe
The worm also creates the following file in the same folder:
%RemovableDrive%\MSDcache\Liberty[VERSION NUMBER].bat
Note: [VERSION NUMBER] may be any of the following:
1-02-02-1
The worm enumberates files and folders in the root folders of removable drives.
The worm creates a new malicious .lnk file when it finds a file matching its search criteria.
Note: The name of the newly created, malicious file is based on the original file or folder name.Last update 18 July 2015
