Home / malwarePDF  

Win32/Suweezy


First posted on 14 September 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Suweezy.

Explanation :

Installation

This threat is commonly installed by BrowserModifier:Win32/Sasquor.

When first run, this threat might make multiple copies of itself to locations such as these:

  • C:\Program Files (x86)\SoSoIm_3\SoSoIm3.exe
  • C:\Program Files (x86)\SoSoIm_4\SoSoIm4.exe
  • C:\Program Files (x86)\SoSoIm_5\SoSoIm5.exe
  • C:\Program Files (x86)\SoSoIm_6\SoSoIm6.exe
  • C:\Users\MSUser.Default\Help_3\CfHelp33.exe
  • C:\Users\MSUser.Default\Help_4\CfHelp44.exe
  • C:\Users\MSUser.Default\Help_5\CfHelp55.exe
  • C:\Users\MSUser.Default\Help_6\CfHelp66.exe


It can also create serveral services to run these automatically on Windows start-up, for example:
  • service:BSSoEasySvc3
  • service:BSSoEasySvc4
  • service:BSSoEasySvc5
  • service:BSSoEasySvc6
  • service:ZSHelper33
  • service:ZSHelper44
  • service:ZSHelper55
  • service:ZSHelper66


We have seen the service description as: "The SoEasy service that aims to offer search easlisy".

When one of the Suweezy executables runs, it may temporarily write a DLL file for example,

C:\Program Files (x86)\SoSoIm_3\launcher.dll

and launch it using rundll32.exe:

rundll32 "C:\Program Files (x86)\SoSoIm_3\launcher.dll",DllReg

This DLL is deleted after it finishes running.

Payload

Excludes folders from being scanned by anti-malware products

The DLL is responsible for this threat's payload. It attempts to add several folders to the list of folders that Windows Defender excludes from scanning, by adding registry entries such as these:

In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\"
With data: "0x00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_4\"
With data: "0x00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_5\"
With data:"0x00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_6\"
With data:"0x00000000"

It also tries to add similar entries for Microsoft Security Essentials/System Center Endpoint Protection exclusions, for example:

In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\"
With data:"0x00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_4\"
With data:"0x00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_5\"
With data:"0x00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Sets value: "C:\Users\MSUser.Default\Help_6\"
With data: "0x00000000"

In addition, it attempts to exclude the same folders from scanning by Avast, AVG, and Avira anti-malware scanners, by writing these files:
  • C:\ProgramData\AVAST Software\Avast\exclusions.ini
  • C:\ProgramData\Avg\AV\DB\exceptions.dat
  • C:\ProgramData\Avira\Antivirus\CONFIG\AVWIN.INI


Note: This threat might create these files even if the anti-malware applications are not installed.



Analysis by: Hamish O'Dea

Last update 14 September 2016

 

TOP