Threat Descriptions

Trojan-Spy:W32/Montp

Classification

Category :

Malware

Type :

Trojan-Spy

Platform :

W32

Aliases :

Montp.F, TrojanSpy.Win32.Montp.f

Summary

A trojan that secretly installs spy programs, such as keyloggers.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan-Spy:W32/Montp identifies a powerful data-stealing program that collects information from users of numerous on-line banks and sends the collected data to a hacker by uploading specially created files to an ftp server. The trojan can also download and run additional files from ftp and http servers. To disguise its actions, Montp utilizes stealth techniques. The first Montp variant was first discovered in April 2004. The last, Montp.F variant was found on 6-7th of June 2004.

Installation

The trojan's main file is a PE executable 44032 bytes long packed with PECompact file compressor. The Trojan drops a DLL file which is 241664 bytes long and is not packed. When the executable file is run, it installs itself to the system.During installation, the trojan copies its file to a folder named '\qmin\ subfolder' in the Windows System folder using a randomly generated name, for example 'adpgcjca.exe'. Then a DLL file named 'qmin2.dll' is dropped to Windows System folder and activated. This DLL is used to hook certain APIs in order to intercept HTTPS requests. It also hides the malware's files and Registry keys (stealth).

Also the 'xtempx.xxx' file is created by the Trojan in Windows System folder.

Data Theft

The dropped DLL component checks if a user opens any of the following URLs using HTTPS protocol (bank names are replaced with ):

  • .co.uk
  • .co.uk
  • .com
  • .tv
  • .com
  • .com
  • .com.au
  • .com.au
  • .com
  • .co.uk
  • .co.uk
  • .com
  • .co.uk
  • .co.uk
  • .co.uk
  • .com
  • .com.au
  • .com
  • .com
  • .co.nz
  • .com
  • .com
  • .com
  • .se
  • .com.vn
  • .com
  • .com
  • .com
  • .de
  • .com
  • .com
  • .com
  • .com.hk
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .de
  • .com.my
  • .com.my
  • .de
  • .com.au
  • .com
  • .net.au
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .de
  • .de
  • .com.hk
  • .com
  • .com
  • .com
  • .com
  • .com.au
  • .com
  • .co.nz
  • .co.nz
  • .com
  • .com.au
  • .com.au
  • .com
  • .com

If a user opens any of those URLs (which mostly belong to on-line banks), the Trojan's DLL creates a file with a corresponding name. However, for several URLs the Trojan creates a file with a common name. The following files are created by the Trojan:

  • _co_uk.pst
  • _co_uk.pst
  • _com.pst
  • .pst
  • _com.pst
  • .pst
  • _com_au.pst
  • _com_au.pst
  • _com.pst
  • _CO_UK.pst
  • _CO_UK.pst
  • _COM.pst
  • _CO_UK.pst
  • _co_uk.pst
  • _co_uk.pst
  • instant1f.pst (used for several URLs)

Also the Trojan's DLL checks for URLs containing any of the following strings:

  • zwallet.com
  • .cl
  • .ru
  • .ua
  • .o2.co.uk
  • ytv.com
  • yourastrologysite.com
  • .edu
  • yes.com.hk
  • yagma.com
  • mail
  • serviticket.com
  • sierraclub.org
  • wrem.sis.yorku.ca
  • worth1000.com
  • worldwinner.com
  • delawarenorth.com
  • .bg
  • uwaterloo.ca
  • t-mobile.com
  • .ac.uk
  • willhill.com
  • bigpond.net.au
  • intel.com
  • webzdarma.cz
  • nwa.com
  • sap-ag.de
  • guidehome.com
  • microsoft.com
  • .il
  • .ust.hk
  • .fi
  • .ac.nz
  • .sk
  • .ac.at
  • unb.ca
  • ubc.ca
  • sheridanc.on.ca
  • queensu.ca
  • mcmaster.ca
  • mcgill.ca
  • carleton.ca
  • douglas.bc.ca
  • .hr
  • comcast.net
  • webassign.net
  • there.com
  • uoguelph.ca
  • uottawa.ca
  • .jp
  • ych.com
  • icq.com
  • .tw
  • watchguard.com
  • walgreens.com
  • aircanada.ca
  • ibm.com
  • opusit.com.sg
  • vutbr.cz
  • vpost.com.sg
  • .md
  • vodafone
  • virginmobileusa.com
  • virginblue.com.au
  • mcafee.com
  • videotron.com
  • victoriassecret.com
  • veloz.com
  • vasa.slsp.sk
  • .com
  • uscitizenship.info
  • uscden.net
  • usafis.org
  • yesasia.com
  • ups.com
  • ucas.co.uk
  • uwindsor.ca
  • uoguelph.ca
  • unixcore.com
  • united.intranet.ual.com
  • preschoicefinancial.com
  • yorku.ca
  • trustinternational.com
  • trust1.com
  • trivita.com
  • travelcommunications.co.uk
  • travelclub.swiss.com
  • travel.priceline.com
  • travel.com.au
  • towerhobbies.com
  • game
  • hp.com
  • iprimus.com.au
  • iinet.net.au
  • music
  • ssdcl.com.sg
  • datasvit.net
  • starhubshop.com.sg
  • 012.net
  • stanfordalumni.org
  • .cz
  • tdcwww.net
  • tmi-wwa.com
  • tm.net.my
  • tirerack.com
  • ti.com
  • ultrastar.com
  • ticketmaster.com
  • three.com.hk
  • theaa.com
  • tepore.com
  • recruitsoft.com
  • freedom.net
  • telstra.com
  • telpacific.com.au
  • techdata.com
  • quickbooks.com
  • tbihosting.com
  • inlandrevenue.gov.uk
  • symantec
  • sony
  • .kz
  • dell
  • cablebg.net
  • supergo.com
  • look.ca
  • maximonline.com
  • streamload.com
  • apple.com
  • puma.com
  • a-net.com
  • webtrendslive.com
  • gigaisp.net
  • ihost.com
  • monster.com
  • .sok
  • lanck.net
  • farlep.net
  • .kr
  • speedera.net
  • kundenserver.de
  • ingrammicro.com
  • campoints.net
  • ains.com.au
  • srp.org.sg
  • sqnet.com.sg
  • adaptec.com
  • worldgaming.net
  • sportodds.com
  • sportingbet.com
  • spiritair.com
  • swamp.lan
  • soundclick.com
  • hkuspace.org
  • soccer.com
  • solo3..fi
  • snapfish.com
  • cometsystems.com
  • flextronics.com
  • esdlife.com
  • site-secure.com
  • singaporeair.com
  • sims.sfu.ca
  • simplyhotels.com
  • singnet.com.sg
  • silicon-power.com
  • signup.sprint.ca
  • shutterfly.com
  • shopundco.com
  • zoovy.com
  • go-fia.com
  • shoppersoptimum.ca
  • shopadmin.daum.net
  • o2online.de
  • ecompanystore.com
  • shkcorpws5.shkp.com
  • sfa.prudential.com.sg
  • hku.hk
  • vodafone.co.uk
  • cic.gc.ca
  • sfgov.org
  • rogers.com
  • macau.ctm.net
  • xs4all.nl
  • sympatico.ca
  • ariba.com
  • liveperson.net
  • sephora.com
  • senecac.on.ca
  • canon-europe.com
  • xtra.co.nz
  • t-mobile.co.uk
  • selfmgmt.com
  • securitymetrics.com
  • securewebexchange.com
  • western-inventory.com
  • playstation.com
  • imrworldwide.com
  • secureserver.net
  • secureordering.com
  • imrworldwide.com
  • securecart.net
  • wn.com.au
  • webeweb.net
  • mgm-mirage.com
  • w2express.com
  • vandyke.com
  • ubi.com
  • tsn.cc
  • trekblue.com
  • tickle.com
  • thewheelconnection.com
  • telusmobility.com
  • starbiz.net.sg
  • sparknotes.com
  • sparkart.com
  • sms.ac
  • billerweb.com
  • shaw.ca
  • safesite.com
  • register.com
  • oztralia.com
  • ordering.co.uk
  • orcon.net
  • optusnet.com.au
  • onlineaccess.net
  • oberon-media.com
  • nzqa.govt.nz
  • novuslink.net
  • nike.com.hk
  • netspeed.com.au
  • netfirms.com
  • netbilling.com
  • nai.com
  • nacelink.com
  • mysylvan.com
  • mouse2mobile.com
  • .com.au
  • lkw-walter.com
  • kent.net
  • reuters.com
  • intuitcanada.com
  • infusion-studios.com
  • indigosp.com
  • idx.com.au
  • hotbar.com
  • hostdozy.com
  • hilton.com
  • gevalia.com
  • fredericks.com
  • ezpeer.com
  • europeonline.com
  • e-registernow.com
  • emetrix.com
  • elsevier
  • element5.com
  • elance.com
  • earthport.com
  • directsex.com
  • directnic.com
  • deluxepass.com
  • delias.com
  • konetic.org
  • customersvc.com
  • c1hrapps.com
  • bnpparibas.net
  • .com
  • bearshare.com
  • authorize.net
  • advisor.com
  • adultfriendfinder.com
  • acadiau.ca
  • yimg.com
  • sebra.com
  • seatbooker.net
  • searchfit.org
  • eutelsat.net
  • carleton.ca
  • upjs.sk
  • scicollege.org.sg
  • sciamdigital.com
  • ebay
  • s-central.com.au
  • sbc.com
  • samsunggsbn.com
  • sammikk.com

Information from webpages intercepted this way is collected in the file named 'global1f.pst'. The trojan's EXE file then processes PST files created by the DLL component, except for the files 'instant1f.pst' and 'global1f.pst', which are uploaded to an FTP site 'as is'.

After processing the PST files created for certain banks, the Trojan creates corresponding .INI files with such information as user's name, customer ID, date of birth, passwords, PINs, account numbers and other important information. The following files are created after processing of bank-related PST files:

  • _co_uk.ini
  • .ini
  • _co_uk.ini
  • .ini
  • .ini
  • .ini
  • .ini
  • .ini
  • _co_au.ini
  • .ini
  • .ini
  • .ini
  • .ini
  • .ini

The files with collected data are uploaded to an ftp site to directories named 'MAIN', 'FILT' and 'SPAM'. Sorted stolen data from major banks stored in .INI files is uploaded to the 'MAIN' folder, data stolen from other banks, stored in 'instant1f.pst' file is uploaded to 'FILT' folder and finally the 'global1f.pst' file with data collected from different URLs is uploaded to SPAM folder.

Payload

Montp modifies the HOSTS file to redirect the domain name 'web.da-us.citibank.com' to the IP address 66.98.244.59.

The malware attempts to download and run a file named 'update8.exe' from the 'www.projecx.net' website. At the moment of creation of this description, that file was not accessible any more. Additionally the Trojan attempts to download and run the file named 'update.exe' from an ftp server where the trojan uploads stolen data.

The trojan also sets 'about:blank' page as IE startup page.

Montp looks for and terminates processes with the following names:

  • ARMOR2NET.EXE
  • SAVSCAN.EXE
  • NPROTECT.EXE
  • NVSVC32.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JEDI.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

Most of these names belong to anti-virus and firewall software.

Registry Changes

The startup key is created for the Trojan's executable file in the Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "qmin" = "%WinSysDir"\qmin\.exe"

Additionally, the Trojan creates the following Registry keys:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion] "qmin"
  • [HKCU\Software\Microsoft\Windows\] "qmax"

The last key is set at the beginning of data stealing process and then deleted.