rundlll.dll - Winsock 2 LSP Spyware Trojan

Windows Tutorials - Herong's Tutorial Examples

∟rundlll.dll - Winsock 2 LSP Spyware Trojan

This section describes a generic Winsock 2 LSP spyware trojan reported by McAfee. It uses a trojan file rundlll.dll to replace Microsoft mswsock.dll in the LSP registry entry.

When I was looking Winsock 2 LSP spyware trojan examples, I saw this one reported by McAfee at http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141764. Here is a summary about this trojan.

Name: Generic LSP

Method of Infection: Double clicking malicious email attachments or malicious web page links.

Installer File - ucx.exe (18 KB, MD5: 2BD1D3C42EFC95CD5CEC4A7829E5EF9C): Added to the system folder temporary folders. It will be executed to make other changes to Windows systems.

LSP DLL File - rundlll.dll (102 KB, MD5: 7A3CF9893E1169AB37AEEF6DE10DC1EB): Added to the system folder. It will be used to replace mswsock.dll as the basic service provider in the LSP stack.

Registry Key Value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - "remotecontrol"="C:\WINDOWS\system32\UCX.EXE": Added to run the trojan installer ucx.exe as a startup program.

Registry Key Value: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 "PackedCatalogItem"=hex:43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33, 32,5c,72,75,6e,64,6c,6c,6c,2e,64,6c,6c,00,6c,00,00,00,...: Modified to link the Winsock 2 basic service provider entry to the trojan file, rundlll.dll. This entry was originally linked to Microsoft's mswsock.dll.