Virus

W32/Stawin.A!tr

Analysis

  • Trojan is 32 bit with a compressed file size of 3,792 bytes
  • Trojan may have been introduced to the compromised system from a spammed email message sent maliciously, as an email attachment named "message.zip" - within "message.zip" was the binary "message.exe"
  • If the Trojan binary is executed, it will copy itself and another file into the Windows folder -

    c:\WINNT\HookerDll.Dll (4,608 bytes)
    c:\WINNT\MESSAGE.EXE (3,792 bytes)

  • The file "HookerDll.Dll" is coded to trap keystrokes and passwords into a file on the local system - this is done by making use of imports from key dynamic link library files:

    KERNEL32.DLL - obtain Windows directory path, create file
    USER32.DLL - hook keyboard, read clipboard

  • The Trojan component "HookerDll.Dll" is coded to capture logon credentials related to certain financial websites, if any of the strings match the list below -

    Westpac <- New Zealand financial company
    ANZ <- Australian financial company
    bendigo <-Australian bank
    Bendigo <-Australian bank
    e-bendigo <-Australian bank
    e-Bendigo <-Australian bank
    commbank <- Australian bank
    Commonwealth <- Australian bank
    NetBank <- online bank
    Citibank <- online bank
    e-gold <- Internet payment service
    e-bullion <- Internet payment service
    e-Bullion <- Internet payment service
    evocash <- Internet payment service
    EVOCash <- Internet payment service
    EVOcash <- Internet payment service
    intgold <- Internet payment service
    INTGold <- Internet payment service
    paypal <- Internet payment service
    PayPal <- Internet payment service
    bankwest <- Online banking
    Bank West <- Online banking
    BankWest <- Online banking
    National <- Online banking
    cibc <- Online banking
    CIBC <- Online banking
    scotiabank <- Canadian online banking
    ScotiaBank <- Canadian online banking
    Scotia Bank <- Canadian online banking
    bmo <- Canadian online banking
    BMO <- Canadian online banking
    bank of montreal <- Canadian online banking
    Bank of Montreal <- Canadian online banking
    royalbank <- Canadian online banking
    Royal Bank <- Canadian online banking
    RoyalBank <- Canadian online banking
    tdcanadatrust <- Canadian online banking
    TD Canada Trust <- Canadian online banking
    TDCanadaTrust <- Canadian online banking
    president's choice <- Canadian online banking
    President's Choice <- Canadian online banking
    President Choice <- Canadian online banking
    suncorpmetway <- Australian online banking
    Suncorp <- Australian online banking
    macquarie <- Australian online banking
    Macquarie <- Australian online banking
    INTgold <- Internet payment service
    1mdc <- Internet banking service
    1MDC <- Internet banking service
    bank <- Internet banking service
    Bank <- Internet banking service
    goldmoney <- Internet banking service
    GoldMoney <- Internet banking service
    goldgrams <- Internet banking service
    pecunix <- Internet banking service
    Pecunix <- Internet banking service
    Pecun!x <- Internet banking service
    hyperwallet <- Internet banking service
    HyperWallet <- Internet banking service

  • The Trojan will auto run at Windows logon after it first adds a key to the registry as in this example -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "OLE" = C:\WINNT\message.exe

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option