- the presence of file: oembios.exe in %WINDIR%\system32\ folder or C:\Documents and settings\%username%\Application Data\.
- the presence of the following registry key:
userinit="%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\Application Data\oembios.exe"
The malware has the icon of a *.xls file ( Excel spreadsheet). This technique is used as a social engineering method to trick the user to launch the infection. It doesn't have its own spreading routine but it was spammed out via email containing an attachment with this file.
The malware comes encripted and underneath the protection is a version of the infamous Trojan.Wsnpoem malware caught by BitDefender as Trojan.Spy.Zbot.JM.
He will inject in svchost.exe and winlogon.exe imediately after execution and he can provide backdoor and proxy server capabilities. The service provided through svchost.exe listens at a random TCP port that is opened enabling the atacker to send comand to the remote computer. This may be used as a mean of stealing information, remote control or at spaming.
The trojan deletes cookies in the Internet Explorer URL cache. And resets the Internet Explorer StarPage Trojan.Spy.Zbot.KJ attempts to hide itself using stealth and rootkit techniques. The files mentioned above won’t be visible using normal Windwos Explorer even with all the option and protection of special files turned off.
At execution this malware copies itself in %WINDIR%\system32\oembios.exe (or C:\Documents and settings\%username%\Application Data\) and he will create a registry key in order to make sure it will be executed after every reboot. For that, the following registry key is changed:
Another key that is changed is
enabling the process to hide the infected file from Windows Explorer. These registry keys are permanently checked and restored to the infected values by the infected winlogon process.
It also creates the following files: C:\Windows\sysproc64\sysproc32.sys, C:\Windows\system32\oembios.bin, C:\Windows\system32\oembios.dat that contain encrypted data.
It creates the following mutex as a signature of the infected system:
It tryes to download
http://195.2.252.[removed]/n.bin containg enctipted data.
Further investigation showed that the server was registered near Moscow. Other domains hosted by the same class of IP-s (on the same server probbably, also registered near Moscow) links to online drug stores that sell Viagra, Cialis and other medicine like this.