Method of propagation:

• This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Platforms / OS:

• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

Side effects:

• Drops malicious files
• Registry modification
• Steals information

File: Install.exe Hash: 601b43c39f726d975f035cc98c146f99

This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image.

The following files are created:

– %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Hash: bed399d56b82369eb7fb95caad16de04 Detected as: TR/Dldr.Bolol.A.4, PWS-Goldun (Password Stealer trojan)

– %SYSDIR%\ipudpb2.sys Hash: 14ab6317620fb234c436f8114fab7f26 Detected as: TR/Spy.Haxspy.AE, BackDoor-BAC.sys (Remote Access trojan)

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control]

• “isfr2”“[%random character string%[%current username% ]” – [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ wndtx1] * “DllName”wndtx1.dll
• “Startup”“wndtx1” * “Impersonate”dword:00000001
• “Asynchronous”dword:00000001 * “MaxWait”dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2]

• “Type”dword:00000001 * “Start”dword:00000001
• “ErrorControl”dword:00000000 * “ImagePath”\??\%SYSDIR%\IPUDPB2.SYS
• “DisplayName”“IP2 UDPB2” – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security] * “Security”%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum]

• “0”“Root\\LEGACY_IPUDPB2\\0000” * “Count”dword:00000001
• “NextInstance”dword:00000001 The following registry key is changed: – [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager] Old value: * “PendingFileRenameOperations”%hex values%

New value:

• “PendingFileRenameOperations”''%hex values%

Contact server: The following:

• !http://www.salidol.biz/

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.

Sends information about:

• Current user
• Collected information described in stealing section
• Information about the Windows operating system

It tries to steal the following information: – Passwords typed into 'password input fields'

– A logging routine is started after one of the following websites are visited:

• !http://www.e-gold.com
• %any HTTPS website that contains a login form%

– It captures:

• Window information
• Browser window
• Login information

– It injects the following file into a process: %SYSDIR%\wndtx1.dll

  All of the following processes:
* iexplore.exe
* %all processes started after malware is active in memory%

It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:

Method used:

• Hidden from Windows API

Hooks the following API functions:

• NtCreateProcess
• NtCreateProcessEx
• ZwCreateProcess
• ZwCreateProcessEx

Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:

• FSG

– Main.FredPettis - 26 Mar 2009