Recently I received reports regarding an email advertising a network utility developed by ParsOnline to help the customers monitor their accounts and usage. The email had a link to ZIP file on a file sharing web site. I downloaded the file and inspected its contents. It was a malware that installed a keylogger on the victim's machine. The keylogger would capture every keystroke of the user and took screenshots of the desktop every often, then send them to a gmail account.
The ZIP file contained 2 files:
- network.exe: the promised utility that the user would want to use. But when the user tries to extract the file, it requires a password. so ...
- Password.exe: appears as a password generator tool, and the user is really wondering how to get a password to extract network.exe. It would be obvious to extract this file and execute it. And that's how the malware executes.
By running Password.exe a window appears displaying a simple message:
But this is just the interface. At the same time the keylogger is installed on the user machine. It creates the 1053 directory in WindowsSystem32 path. The directory contains 2 malware files, svchovt.exe and vlt.bat. It also modifies Windows registry to make sure the malmware could perform as intended.
The svchovt.exe file is the keylogger program, as I inspected more it was probably developed by Visual Basic 6. It registers itself as a listener on user keystrokes, and takes a screenshot of the user desktop every often and stores the screenshot in user temporary files path. Its name is selected to be close to the svchost.exe which is a legitimate Windows process
Windows registry subkey SOUNDMAN is created in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and points to the path that the svchovt.exe file resides on disk. This is to make sure the keylogger is executed on each user login session.
Panda cloud antivirus scanned the file and found no harm but Kaspersky free online scanner detected the malware. Reports from Kaspersky contained a screenshot of the malware window, but instead of ParsOnline, it was displaying "www.shatel.ir". So as it appears the malware was targeting other ISPs too.
To remove the malware manually, you could simply end the svchovt.exe process from the Windows task manager and then remove the malware files from WindowsSystem321053.
The malware is removed and can not run anymore, so the system is clean. In the end you could remove the SOUNDMAN subkey in Windows registry, but that's not essential.