Win32.Blewfit.A (CA.com)

Description Published: January 30, 2005
Description Modified: January 31, 2005

Category: Win32
Also known as: Win32/Qukart.A!Trojan, Trojan-Spy.Win32.Qukart.s (Kaspersky)

eTrust Antivirus 6x/v7* (InoculateIT Engine) 23.68.10 View Removal Instructions
eTrust Antivirus 6x/v7* (Vet Engine) 11.x/8890 View Removal Instructions
eTrust EZ Antivirus 6.1x 6.1x/6030 View Removal Instructions
eTrust EZ Antivirus 6.2x 6.2x/8890 View Removal Instructions
eTrust EZ Antivirus 6.3x 6.3x/8890 View Removal Instructions
eTrust EZ Antivirus 6.4x 6.4x/8890 View Removal Instructions
eTrust EZ Antivirus 7.x 7.x/8890 View Removal Instructions
Vet Anti-Virus 10.6x 10.6x/8890 View Removal Instructions

* Includes updates for InoculateIT and eTrust InoculateIT 6.0.

Description

Win32.Blewfit.A is a trojan that monitors network traffic on an infected machine. It is UPX packed and is dropped by the trojan Win32.Webber.

Method of Infection

When the trojan is executed, it drops the driver file ˝ndisrd.sys˝ (size: 15,338 bytes) in the ˝%System%drivers˝ folder and creates the following registry key so that the driver can be started on System boot.

HKLMSystemCurrentControlSetServices disrd

The forementioned driver is freely available and is used as part of the WinpkFilter packet filtering framework.

The trojan also drops a DLL in the %System% folder with a filename that conforms to the format 32.dll. This DLL is responsible for the trojan´s main functionality.

To hide its presence, the filetime of both the driver and the DLL are set to that of kernel32.dll. The DLL also injects itself into the process space of explorer.exe. This means that subsequent trojan activities will appear to have originated from this process.

The trojan creates the following registry key and values so that it can be executed each time Windows Explorer starts.

HKCRCLSIDInprocServer32(Default) = %System%32.dll
HKCRCLSIDInprocServer32ThreadingModel = Apartment
HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoadmtklef =

Note: will be in the same format as the following string (used here as an example):

{16F69961-12B3-48F9-A797-051B37E9B5A8}

The trojan also creates the mutex ˝Qt_3˝ so that multiple copies of itself do not run at the same time.

Payload

Monitors Network Traffic/Steals Sensitive Information
The driver that is initially dropped (mentioned above in the Method of Infection) can be used by the trojan to intercept network traffic. The trojan logs filtered information to the file ˝%Windows%oot.sys˝ which can be sent back to the hacker by Win32.Webber trojan.

Analysis by Amir Fouda

Source : Computer Associates International
www.ca.com