File details
Filename: note.exe

File size: 13824 bytes
MD5: 8657e82b7ebc8c92e31b9462b642356b
SHA1: be3c1ddb357948e573af202430a974fcd7b150de
PEiD: -

IPB Image

How does it work ?
Note exe is executed and drops the following files :

%Temp%\[RANDOM FILE NAME].tmp.exe
Notes: %Temp% - By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%System%\winload.dll is registered as a BHO object and under the SharedTaskScheduler key. (The entries in this registry section run automatically when you start windows - XP, NT, 2000 only.)

O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll
[RANDOM FILE NAME].tmp.exe is excuted with the following command line arguments: i [REMOTE HOST] [REMOTE PAGE].php
[REMOTE HOST] and [REMOTE PAGE].php are retrieved from %System%\mt_32.dll - See Additional notes section for more information about mt_32.dll.

IPB Image
Once loaded into memory, a hidden instance of wab.exe (Address Book) is excuted and account information is retrieved.

IPB Image
Next step is a hidden instance of Internet Explorer. Code is injected into the iexplore.exe process. (New memory page)
The trojan starts to download plugins from the server using the HTTP protocol. One by one they are mapped into memory under the hidden iexplore process.

IPB Image

IPB Image
Note: At the time of the writeup, the IEFileGrabber.dll and IEKeyLogger.dll were not available on the remote server.

Connecting to t1ssot.cn||:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 404 Not Found
In meanwhile our Outlook Express account information is uploaded to the remote server using plain text. I did create a fake account in order to illustrate this behavior.
As you can see on the screenshot below, the following information is transmitted along with the module name (PSGrabber).
  • pop server: pop.universe.net
  • user name: Taz
  • password: blah
IPB Image
Finally an instance of svchost.exe is started by the hidden iexplore.exe in order to listen to inbound connections.

IPB Image
Out of curiosity I decided to login on a webmail based ISP (with fake info of course) .... Again all information related to the page, login and passwords were uploaded to the server. (module : IEGrabber).
  • Host & url
  • email account: taz@gmx.net
  • password: 123456
IPB Image

Additional notes
As stated above, we also notice the presence of a file called %System%\mt_32.dll

Note: %System% refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Content is almost plain text. It contains the following items :
  • Location of the [REMOTE HOST] [REMOTE PAGE].php.
  • URL list of the remote modules to download.
  • How the downloaded files are renamed on the infected computer.
The screenshot below shows how the different modules are renamed after their download. Although mt_32.dll can be read in Notepad, I used BinText for clarity purposes.

IPB Image
Some of the components register themselves as BHO objects on the computer.

O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\system32\yatool.dll
Basic plugins.
  • CertGrabber.dll: Collects certificates from the system certificate storage.
  • ExeLoader.dll: Executes files.
  • FFGrabber.dll: Mozilla FireFox HTTP request sniffer.
  • IECookieKiller.dll: Removes cookies from the Internet Explorer cache.
  • IEFaker.dll: Rewrite URLs. Reported for phishing.
  • IEGrabber.dll: IE HTTP request sniffer.
  • IEMod.dll: Installs as a BHO and allows other modules to hook on internet connections.
  • IEScrGrabber.dll: Capture IE screenshots.
  • IETanGrabber.dll: Redirects internet connections.
  • NetLocker.dll: Gets / sets a list of LSP.
  • ProxyMod.dll: Starts HTTP and Socks proxies on a random port.
  • PSGrabber.dll: Collects miscellaneous credientials from the system.
Additional plugins can be downloaded.

The Trojan primarily targets bank accounts and depending on the plugins installed, it may be able to perform the following activities:
  • Gather sensitive information about the computer and user configuration information.
  • Update itself and install new modules.
  • Steal sensitive information contained in forms posted over HTTP (see webmail example)
  • Steal local certificate files (*.pfx)
  • Hijack the browser navigation.
Note: The hijacking browser navigation functionality of the Trojan may be used to steal confidential bank credentials by redirecting users to phishing Web sites when they attempt to login on certain predetermined web banking sites.

The remote server does host a complex Command & Control system which may be used by the attacker to control infected PC's via a web interface.

IPB Image

Offending IP
t1ssot.cn -

IP Location - Phuket Starhubinternet

Domain Name: t1ssot.cn
ROID: 20071125s10001s25885011-cn
Domain Status: ok
Registrant Organization: N/A
Registrant Name: NizovGrisha
Administrative Email: grishanizov@gmail.com
Sponsoring Registrar:
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2007-11-25 03:15
Expiration Date: 2008-11-25 03:15

Related information
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall