Method of Infection
When executed, Win32/Sipay.LM drops a copy of itself as "Manager.exe" in the %Documents and Settings%\{Current User}\Application Data\Adobe\ folder.
The trojan creates the following registry entry so that it runs on every system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Run = ""%Documents and Settings%\{Current User}\Application Data\Adobe\Manager.exe""
Back to top
Payload
Downloads and Executes Arbitrary Files
Win32/Sipay.LM attempts to download files by using
BITS (Background Intelligent Transfer Service), a legitimate Microsoft file transfer service used on Windows operating systems.
First, Win32/Sipay.LM drops the following files:
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
These files contain:
- a URL from which to download files;
- the full path to where the downloaded file will be saved.
It may attempt to download files from this domain:
http://hqsextube08.com/
Win32/Sipay.LM saves the downloaded file to the %Temp% folder and executes it.
Note: %Documents and Settings% and %Temp% are variable locations. The malware determines the locations of these folders by querying the operating system. A typical location for Documents and Settings is C:\Documents and Settings. A typical location for Temporary folder is C:\Documents and Settings\[UserName]\Local Settings\Temp\.
Modifies Registry
Win32/Sipay.LM set the following BITS-related registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS
HKLM\SYSTEM\CurrentControlSet\Services\BITS\Enum
Analysis by Mary Grace Gabriel
Back to top