Virus Characteristics
Detection was added to cover protection against a password stealing trojan originally called "ntos.exe" , having a filesize of 195.083 bytes.
The file is internally compressed with a packer.
Upon running, it runs silently, no gui messageboxes appear on the screen.
It immediately copies itself to the %windows%\%system% directory and to launch itself automatically upon system start it makes an entry in the registry, for example on a Win2000 system:
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\run "userinit"
Data: C:\WINNT\System32\ntos.exe
It further on may change the registry value in the key
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable"
The main item for the malware is to capture/retrieve data, for example it wants to retrieve data like what network uid is used by accessing the registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network "UID"
It creates the directory c:\WINNT\system32\wsnpoem . Note that this directory is marked hidden.
It creates 2 files in the above directory to gather screen data to log information onto. Filesize varies, upon creation these files are pretty much empty.
- c:\WINNT\system32\wsnpoem\audio.dll (filesize: 86 bytes, variable)
- c:\WINNT\system32\wsnpoem\video.dll (filesize: 0 bytes, variable )