Home / malwarePDF  

Trojan:Win32/Wisp.B


First posted on 12 March 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Wisp.B is also known as Trojan.Win32.Cosmu.ore (Kaspersky), Win32/Wisp.A (CA), BackDoor-EMN (McAfee), Troj/DwnLdr-IBP (Sophos), Backdoor.Sykipot (Symantec).

Explanation :

Trojan:Win32/Wisp.B is a trojan that drops a malicious DLL on the affected system, detected as Trojan:/Win32.Wisp.A. Trojan:/Win32.Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain access to the system in order to perform additional malicious actions.
Top

Trojan:Win32/Wisp.B is a trojan that drops a malicious DLL on the affected system, detected as Trojan:/Win32.Wisp.A. Trojan:/Win32.Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain access to the system in order to perform additional malicious actions. In the wild, it has been reported that this trojan has been distributed via malicious web pages that attempt to exploit the vulnerability described by Microsoft Security Advisory 981374. This exploit is detected as Exploit:JS/CVE-2010-0806.

Installation
When executed, Trojan:Win32/Wisp.B copies itself to the following file locations on the affected computer:

  • %Temp%\clipsvc.exe
  • %Temp%\note.exe
    • It then sets the following registry entry so that "note.exe" is executed at each Windows start: To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Adds value: "note"
    With data: "%Temp%\note.exe -installkys"

    Payload
    Installs additional malware The trojan then drops the following DLL onto the system and sets its creation date and time to that of the system file, svchost.exe:
  • %Temp%\wshipl.dll
    • The trojan checks if the following processes are running, and injects this DLL into the memory space of one of them: iexplore.exe outlook.exe firefox.exe This DLL is detected as Trojan:Win32/Wisp.A and performs the main payload of the trojan. Please see the Trojan:Win32/Wisp.A description elsewhere in this encyclopedia for additional detail.Additional information Trojan:Win32/Wisp.B initially checks if its executable is launched with the -removekys argument, and if so, it terminates the "clipsvc.exe" process and removes the registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\note

    Analysis by Amir Fouda

    Last update 12 March 2010

     

    TOP

    Malware :

    Family: