Method of Infection
When executed, Win32.Chisyne.F drops the DLL "req.dll" into the %System% folder. The trojan sets this DLL as a hidden file and modifies security settings so that it cannot be changed. This DLL performs the rest of the trojan's functionality.
The trojan hooks this DLL into the Explorer.exe process so that it can hide it's presence. The trojan also sets the following registry values so that the DLL is loaded each time the affected user logs into Windows:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\DllName = %System%\reg.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\Asynchronous 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\Impersonate = 0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\Logon = "Logon"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\Logoff = "Logoff"
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The trojan also installs itself as a Browser Helper Object so that it runs everytime Internet Explorer is executed:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}
HKCR\CLSID\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}\InprocServer32\(Default) = "C:\WINDOWS\System32\req.dll"
HKCR\CLSID\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}\InprocServer32\ThreadingModel = "Both"
Back to top