TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_SUA.A
Overview
Solution
Technical Details

Size of malware: 20,480 Bytes to 118,858 Bytes

Initial samples received on: Apr 18, 2002

Payload 1: (It downloads & installs programs on the infected system)

Trigger condition 1: Upon execution

Details:

Installation

Upon execution of MNSVC.EXE, it sleeps for approximately five (5) minutes, after which, it creates a mutex named "Minstaller Mutex" or "BVT Multiple Startup Prevention Mutex." If an error occurs because a mutex of that name already exist, it simply terminates. Otherwise, it continues and sleeps again for approximately five (5) minutes. This is a residency check to ensure that only one instance of the program is loaded in memory.

It connects to the URL www.<blocked>.com/au/index.asp and waits for the http response 200. If received, it then reads the data contained in the file index.asp. It uses this data to retrieve the file size and directory of the file it attempts to download.

The Trojan creates an AUSVC.EXE file in the Windows directory and downloads the contents of the file. It again sleeps for 30 minutes before it executes the file and terminates itself. AUSVC.EXE is a software package installer that retrieves data via http request, and downloads and installs software into an infected system.

Occasionally, it will connect and retrieve the files in the following sites:

  • www.<blocked>.com
  • www2.<blocked>.com

Upon execution of AUSVC.EXE, it drops the following files:

  • %Windows%\Auupg.exe
  • %Windows%\Msvcp60.dll
  • %Windows%\Mnsvc.exe
  • %Temp%\undo.bat

Note: MSVCP60.DLL is a Microsoft Visual C++ runtime library.
Mnsvc.exe is a 4-byte text file that contains the string “test”
UNDO.BAT is a cleanup file to delete some of the files it will not need anymore.

Once everything has been downloaded, it executes AUUPG.EXE to retrieve the other packages. Upon execution, AUUPG.EXE performs the following:

  • Download the UNDO.EXE from the Windows Temp directory, and EA.BIN, MTBCD.BAK, MNSVC.EXE, BVT.EXE and ABSTR.EXE from the Windows directory.
    Note:
    EA.BIN contains some hexadecimal numbers.
    MBTCD.BAK contains some encrypted data.
    MNSVC.EXE still contains the same 4-byte string “test”
  • Execute UNDO.EXE, which in turn deletes the files AUSVC.EXE.
  • Execute the previously dropped file undo.bat to delete UNDO.EXE.
  • Execute both BVT.EXE and ABSR.EXE files before it terminates.
BVT.EXE and ABSR.EXE are IE plug-ins that act as spyware to monitor the infected user’s web activity.

The files MNSVC.EXE, AUSVC.EXE, BVT.EXE and ABSR.EXE may create registry run keys in the following path so that they may execute upon next reboot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.