Backdoor.Powerspider
Analysis
- Threat is 32bit with a compressed size of 46,080
bytes
- Trojan has intent to steal passwords and email
them to the author of the Trojan
- If Trojan is run, it may write itself to the Windows\System
folder as
“IEXPLORE .EXE” <= note there is a space before the period
- Virus modifies the registry to load this Trojan
at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
”mssysint” = IEXPLORE .EXE
- Virus modifies the registry to allow remote access
by the Trojan –
HKEY_CLASSES_ROOT\Interface\
{03022430-ABC4-11D0-BDE2-00AA001A1953}\
"(Default)" = IAccessibleHandler
HKEY_CLASSES_ROOT\Interface\
{03022430-ABC4-11D0-BDE2-00AA001A1953}\ProxyStubClsid\
"(Default)" = {00020424-0000-0000-C000-000000000046}HKEY_CLASSES_ROOT\Interface\
{03022430-ABC4-11D0-BDE2-00AA001A1953}\ProxyStubClsid32\
"(Default)" = {00020424-0000-0000-C000-000000000046}HKEY_CLASSES_ROOT\Interface\
{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib\
"(Default)" = {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}
"Version" = 1.1HKEY_CLASSES_ROOT\TypeLib\
{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\
"(Default)" = AccessibilityHKEY_CLASSES_ROOT\TypeLib\
{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
"(Default)" = oleacc.dllHKEY_CLASSES_ROOT\TypeLib\
{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\FLAGS\
"(Default)" = 4HKEY_CLASSES_ROOT\TypeLib\
{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\HELPDIR
”(Default)" = C:\WINDOWS\SYSTEMHKEY_CLASSES_ROOT\ZPwd_box\
”tmUpgrade_p" = A7, 01, D8, 3E
-
Trojan may attempt to download another Trojan with a file name “pwdbox101.exe” from a website on the “bizcn.com” domain