Trojan Summary
Trojan Name
Risk Assessment
Sepuc
Corporate User : Low
Home User
: Low
Trojan Information
Discovery Date:
04/20/2004
Origin:
Unknown
Length:
Various
Type:
Trojan
SubType:
Win32
Minimum DAT:
4352 (04/21/2004)
Updated DAT:
4352 (04/21/2004)
Minimum Engine:
4.2.40
Description Added:
04/21/2004
Description Updated:
04/22/2004 1:24 AM (PT)
Trojan Characteristics
This detection is for a trojan known to have been seeded by email at the time of writing.
Proactive Detection
The downloaded CHM (compiled help) file HELP.CHM is detected as VBS/Psyme with the 4299
DATs or greater.
The following files are involved:






HELP.CHM (10,872 bytes) - CHM file containing downloading script
NOTEPAD.EXE (3,584 bytes) - downloader trojan that downloads and executes a
dropper.
DROPPER (random filename) (49,152 bytes) - trojan that drops and installs the following
3 files:
SECUPD.EXE (14,336 bytes)
INFO.DLL (7,680 bytes)
UPDATE.DLL (6,144 bytes)
Please see the mechanism of infection section for details of the infection mechanism.
Once installed on the victim machine, INFO.DLL harvests data (eg. version numbers, PID number,
build number), which is reported back to the hacker. The UPDATE.DLL provides functionality for
the malware to download remote files and update itself.
Symptoms

Existence of the Registry keys detailed in the infection mechanism

Existence of the service detailed in the infection mechanism
Method Of Infection
This trojan is intended to be installed via multiple steps, some of which take advantage of
vulnerabilities within Internet Explorer.
The infection mechanism is outlined below:
The spammed out email message contains a malformed Object Data tag intended to take
advantage of an Internet Explorer vulnerability. (See Exploit-MhtRedir description) in order to
download a CHM file to the victim machine (HELP.CHM).
This CHM file is detected as VBS/Psyme with the 4299 DATs or greater. This detection is for a
script intended to download and write a file to the local disk. The file is written to disk as
NOTEPAD.EXE or SETUP1.EXE (3,584 bytes). An attempt is made to write it to various locations:










C:\WINNT\TEMP
C:\WINXP\TEMP
C:\WINDOWS\TEMP
C:\WINNT\SYSTEM32
C:\WINXP\SYSTEM32
C:\WINDOWS\SYSTEM32
C:\TEMP
C:\WINNT
C:\WINDOWS
C:\WINXP
This file is a downloading trojan, designed to download and execute another file. It downloads the
file by sending data to a remote machine (IP address hardcoded in the downloader) on port 6000.
The file download is itself a dropper for other files.
When the dropper is run, three files are dropped on the victim machine:



%SysDir%\SECUPD.EXE (14,336 bytes)
%SysDir%\INFO.DLL (7,680 bytes)
%SysDir%\UPDATE.DLL (6,144 bytes)
The following service is installed on the victim machine:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Windows Security Update
Display name: Windows Security Update
Image Path: %systemroot%\system32\secupd.exe
Startup: Automatic
SECUPD.EXE injects the two DLLs into the process space of LSASS.EXE on the victim machine.
Configuration data is stored within the following Registry that is also added upon infection:

HKEY_CLASSES_ROOT\.qbi
Removal Instructions
All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without
reboot, but older engines require a reboot for repair to complete.
Modifications made to the system Registry and/or INI files for the purposes of hooking system
startup, will be successfully removed if cleaning with the current engine and DAT combination (or
higher), older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Variants
Name
Type
no known variants
Aliases
Name
Sepuc.dldr (downloader component)
Sepuc.dll
Sepuc.dr (dropper component)
Trj/Sepuc.A (Panda)
Sub Type
Differences