Win32/Boychi [Threat Name] go to Threat
Win32/Boychi.A [Threat Variant Name]
| Category | worm |
| Size | 1043456 B |
| Aliases | Win32/Boychi.A (Microsoft) |
| Trojan.Dropper (Symantec) | |
| Variant.Kazy.81085 (BitDefender) |
Short description
Win32/Boychi.A is a worm that steals passwords and other sensitive information. The worm attempts to send gathered information to a remote machine. It uses techniques common for rootkits.
Installation
When executed, the worm creates the following files:
- %localsettings%\jlc3V7we\IZsROY7X.-MP
- %localsettings%\jlc3V7we\t2HBeaM5.OUk
- %localsettings%\jlc3V7we\WeP1xpBU.wA-
- %localsettings%\jlc3V7we\6EaqyFfo.zIK
- %localsettings%\jlc3V7we\eiYNz1gd.Cfp
- %localsettings%\jlc3V7we\lUnsA3Ci.Bz7
The worm may create copies of the following files (source, destination):
- %system%\pstorec.dll, %localsettings%\jlc3V7we\hypn4cqI.HSC
- %mozillafirefoxrootfolder%\mozcrt19.dll, %localsettings%\jlc3V7we\mozcrt19.dll
- %mozillafirefoxrootfolder%\mozutils.dll, %localsettings%\jlc3V7we\mozutils.dll
- %mozillafirefoxrootfolder%\mozglue.dll, %localsettings%\jlc3V7we\mozglue.dll
- %mozillafirefoxrootfolder%\nspr4.dll, %localsettings%\jlc3V7we\nspr4.dll
- %mozillafirefoxrootfolder%\plds4.dll, %localsettings%\jlc3V7we\plds4.dll
- %mozillafirefoxrootfolder%\plc4.dll, %localsettings%\jlc3V7we\plc4.dll
- %mozillafirefoxrootfolder%\nssutil3.dll, %localsettings%\jlc3V7we\nssutil3.dll
- %mozillafirefoxrootfolder%\sqlite3.dll, %localsettings%\jlc3V7we\sqlite3.dll
- %mozillafirefoxrootfolder%\mozsqlite3.dll, %localsettings%\jlc3V7we\mozsqlite3.dll
- %mozillafirefoxrootfolder%\softokn3.dll, %localsettings%\jlc3V7we\softokn3.dll
- %mozillafirefoxrootfolder%\nss3.dll, %localsettings%\jlc3V7we\nss3.dll
- %mozillafirefoxrootfolder%\freebl3.dll, %localsettings%\jlc3V7we\freebl3.dll
- %mozillafirefoxrootfolder%\nssdbm3.dll, %localsettings%\jlc3V7we\nssdbm3.dll
Installs the following system drivers:
- %systemroot%\system32\drivers\ndisk.sys
In order to be executed on every system start, the modifies the following Registry key:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "*J7PugHy" = "%system%\rundll32.exe "%localsettings%\jlc3V7we\IZsROY7X.-MP",F1dd208"
The worm creates and runs a new thread with its own program code in all running processes.
Information stealing
The worm gathers e-mail addresses from all local files.
Win32/Boychi.A tries to obtain information from the contact list of the affected user.
The worm collects information related to the following applications:
- Microsoft Internet Explorer
- Mozilla Firefox
- Opera
- Google Chrome
- Microsoft Outlook
- Mozilla Thunderbird
- Windows Live Mail
- Paltalk
- Googletalk
- Trillian
- Skype
The following information is collected:
- screenshots
- a list of recently visited URLs
- data from the clipboard
- e-mail addresses
- Windows Protected Storage passwords and credentials
- information about the operating system and system settings
- list of running processes
- login user names for certain applications/services
- login passwords for certain applications/services
The worm attempts to send gathered information to a remote machine. The worm contains a list of (1) IP addresses.
Other information
The worm hides its presence in the system.
It can execute the following operations:
- various file system operations
- log keystrokes
- capture webcam video/voice
- capture screenshots
- spread via IM networks
- create copies of itself on mobile devices (Microsoft Windows CE), USB drives, VMware systems
The worm hooks the following Windows APIs:
- CreateProcessA (kernel32.dll)
- CreateProcessW (kernel32.dll)
- CreateProcessAsUserA (advapi32.dll)
- CreateProcessAsUserW (advapi32.dll)
- CreateProcessAsUserW (kernel32.dll)
- NtQueryDirectoryFile (ntdll.dll)
- ReadDirectoryChangesW (kernel32.dll)
- NtQuerySystemInformation (ntdll.dll)
- NtDeviceIoControlFile (ntdll.dll)
- NtEnumerateValueKey (ntdll.dll)
- NtQueryKey (ntdll.dll)
- SendMessageW (user32.dll)
- SetWindowTextW (user32.dll)
- CreateWindowExA (user32.dll)
- CreateWindowExW (user32.dll)
- waveOutWrite (winmm.dll)
- waveInAddBuffer (winmm.dll)
- SendMessageTimeoutA (user32.dll)
- SendMessageTimeoutW (user32.dll)
- recv (ws2_32.dll)
- send (ws2_32.dll)
- WSARecv (ws2_32.dll)
- CreateFileW (kernel32.dll)
- DeleteFileW (kernel32.dll)
- MoveFileW (kernel32.dll)
- GetMessageA (user32.dll)
- GetMessageW (user32.dll)
- PeekMessageA (user32.dll)
- PeekMessageW (user32.dll)
- ImmGetCompositionStringW (imm32.dll)
- ReadConsoleInputA (kernel32.dll)
- ReadConsoleInputW (kernel32.dll)
- ReadConsoleA (kernel32.dll)
- ReadConsoleW (kernel32.dll)
- ReadConsoleInputExA (kernel32.dll)
- ReadConsoleInputExW (kernel32.dll)
- CreateDCW (gdi32.dll)
- CreateDCA (gdi32.dll)
- DeleteDC (gdi32.dll)
- StartDocW (gdi32.dll)
- StartDocA (gdi32.dll)
- StartPage (gdi32.dll)
- EndPage (gdi32.dll)
- EndDoc (gdi32.dll)
- SetAbortProc (gdi32.dll)
- GetDeviceCaps (gdi32.dll)