HOME > VIRUS ALERTS


VIRUS ALERTS

BZub Trojan

Original issue date: December 13, 2007

An information stealing trojan family named BZub is circulating widely.Variants of BZub propagate via attachments in spammed
E-mail messages.

This trojan has the logging routine on the infected system to capture keystrokes made by the user visiting respective online banking websites.

This trojan steals confidential information such as user accounts, credit card numbers and passwords used for different applications like e-mail, online transactions etc, that are stored in the infected user’s computer system. These credentials , Web forms and Registry keys are stored/cached by Browsers such as Internet Explorer on local Computer System. The collected data is stored in text files named info.txt and form.txt and are further uploaded onto the remote servers (under control of attacker) using File Transfer Protocol (FTP). Moreover the Trojan also captures screenshots of the infected system, save it in a text file named shot.html and sends it to remote server. Attacker could perform malicious activities with stolen data.

The email addresses collected from infected user’s system are further used by the attacker to send spammed e-mail messages.

Varients: BZub.BL, BZub.BS, BZub.DN, BZub.DO

Aliases : Trojan-Spy:W32/BZub [F-Secure], Spy-Agent.ba [McAfee]


Earlier BZub trojan variants are propagated as email attachments such as :

• rechnung.exe
• rakningen.exe

Upon execution , the Trojan variants:

•  Drops a DLL “ipv6monl.dll" in Windows System folder.
•  Register the above mentioned DLL as a Browser Helper Object (BHO), and create the following associated registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A
19F-48F2-B16A-6A3E19B42A87}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{36D
BC179-A19F-48F2-B16A-6A3E19B42A87}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36D
BC179-A19F-48F2-B16A-6A3E19B42A87}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36D
BC179-A19F-48F2-B16A

@="C:\WINDOWS\system32\ipv6monl.dll"

• Lowers Windows Firewall settings for Internet Explorer and
browser extensions enabled with the addition of the following
values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
Authorized Applications\List"C:\Program Files\Internet Explorer\IEXPLORE.EXE
"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:
*:Enabled:Internet"

HKEY_CURRENT_USER\SOFTWARE\Internet Explorer\Main
"Enable Browser Extensions”= “yes”

•  Adds the following registry keys :

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Control Panel\load]

  • "cmpid"= %hex values%
   • "worg"= %hex values%
   • "net_insll"= %current date%
   • "info_sze"= %hex values%
   • "ino"= %hex values%
   • "timeu"= %date in the future%
   • "h"= %date in the future%

Upon launching of the IE ( which loads the malicious BHO), the BHO

• Searches for username and password pairs cached or stored by Browsers such as IE and continues to collect new account information as the victim user browses the web. The collected information is stored in the files info.txt and form.txt
• Captures screenshots of the infected machine and save the information in file shot.txt/shot.html/shot.bmp.
• Captures windows information.
• Tries to connect to remote server via http and uploads the captured information via FTP.

Content of file info.txt:
This file contains trojan version, system IP address, country, a
unique "CompID" value, and a brief classification of the operating
system type. Local email account information from Outlook Express (and likely other versions of Outlook) and stored auto-complete passwords are then appended.

Content of file form.txt:
This file contains username and password information gathered from web forms while the trojan is installed. Trojan capture entered form data, along with a time/date stamp.

In view of high damage potential of the BZub Trojan variants , users are advised to implement the following countermeasures:

  • Delete/unregister Executables/DLLs used by the Trojan with the abovementioned names
  • Delete the registry keys made by the Trojan mentioned
    above
  • Follow the following steps to delete locally stored username and password/credentials/privileges and check the settings regularly

    For Internet Explorer
    • Right-click 'Internet Explorer' icon, Select 'Internet Options' from the menu
      OR
      Open 'Internet Explorer' , click Tools from the menu, click 'Internet Options'
    • In 'Internet Options' windows General Tab, under 'Browsing history' heading click 'Delete'
    • In 'Delete Browsing History' window click 'Delete all' Tab
    • Again sub Window of 'Delete Browsing History' will open
    • Select 'Also delete files and settings stored by add-ons'
    • click Yes
    • Click on 'Advanced Tab'
    • Under 'settings' heading scroll down for 'security' sub -head
    • Select 'Empty Temporary Internet Files folder when browser is closed'
    • click OK

      For Mozilla
    • Open 'Mozilla Firefox' Browser
    • Click on Tools menu, Select 'Privacy' Tab
    • Under History heading
      Uncheck 'Remember what I enter in forms and search bar'
    • Under Private Data heading
      Select 'Always clear my private data when I close Firefox'
    • Click on 'Settings' tab under Private Data heading
    • In 'Clear Private Data' window, Select all components
    • Click OK to close 'Clear Private Data' window
    • Select 'Security' tab from 'options' window
    • Under 'Passwords' heading, uncheck 'Remember' password for site'
    • click OK to close 'Options' window.

      After configuring above-mentioned settings whenever a user closes the 'Mozilla Firefox' Application 'Clear Private Data' Window will appear.
    • Select 'Clear Private Data Now'
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the operating system
  • Install and maintain Desktop Firewall and block the ports which are not required
  • Install and maintain Host Based Intrusion Prevention System
  • In case it is suspected that financial or personal information is compromised , immediately contact concerned financial institution/Bank and report the same

References

http://www.f-secure.com/v-descs/trojan-spy_w32_bzub.shtml
#details
http://vil.nai.com/vil/content/v_139621.htm
http://www.k7computing.com/virusdetails.asp?virusid=46228

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003