Win32/Storark is a family of trojans that steals online game passwords and sends this captured data to remote sites.
Installation
When executed, Win32/Storark makes a copy of itself and drops a DLL to the System directory using randomly generated file names (for example <system folder>\kapjezy.dll). It then modifies the registry to load the DLL at each Windows start by adding values and data specific to the particular variant to the following subkeys:
Adds value: "{<clsid>}"
With data: “0”
To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS
Adds value: “(default)”
With data: "<system folder>\<dll filename>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\<clsid>\INPROCSERVER32
where <clsid> is a hex string for the CLSID and <dll filename> is the filename of the dropped DLL mentioned above.
For example:
Adds value: "(default)"
With data: "<system folder>\kapjezy.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5A321487-4977-D98A-C8D5-6488257545A5}\INPROCSERVER32
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then makes a further modification in the registry:
Adds value: "AppInit_DLLs"
With data: “ <system folder>\<dll filename>”
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Finally, it drops a batch file that is used to delete the original copy of Trojan:Win32/Storark that was first executed.
Payload
Steals Online Game Passwords
Win32/Storark sets up hooks in order to capture login information for popular online games. It then sends the captured data to a remote site.
Changes System Security Settings
Win32/Storark disables Windows Auto Update by modifying the following registry entry:
Adds value: “NoAutoUpdate”
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
It also disables the Windows firewall by modifying the following registry entry:
Adds value: “EnableFirewall”
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Analysis by Chun Feng