This Trojan program is designed to steal confidential data. It is a WindowsPE EXE file, and is 34304 bytes in size. It is packed using a customized packer. The Trojan copies itself to %sysdir%\ntos.exe with system, read only and archive attributes. When copying it appends random-sized junk to the end of its file in an attemptto make detection more difficult. It does not modify the PE header. It creates the following directory: %sysdir%\wsnpoem\ (hidden, system attributes)%sysdir%\wsnpoem\audio.dll - data file %sysdir%\wsnpoem\video.dll - config file The Trojan adds itself to the following registry keys: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]userinit="%sysdir%\ntos.exe"[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]userinit="%sysdir%\ntos.exe" It modifies: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Value "Userinit": from "%sysdir%\userinit.exe," to "%sysdir%\userinit.exe,%sysdir%\ntos.exe," The Trojan injects itself into winlogon.exe and from there on functions asa handle. It creates the following mutex: __SYSTEM__64AD0625__ to flag its presence in the system. The Trojan contacts 81.95.148.244 to download its config file, check for updatesand to transmit harvested data. It accesses PStore to retrieve passwords. It also monitors network activity for the following: *Tan**Schmetterling**berweisung**Amount**tanentry**RESULT2**citibank.de/*I2=*&H0=DT*banking.*/cgi/ueber*.cgi*bankofamerica.com/cgi-bin/ias/*/GotoWelcomehttps://onlineeast.bankofamerica.com/cgi-bin/ias/*/GotoWelcomeCustomerServiceMenuEntryPoint?custAction=75The Trojan captures information submitted via POST by browser to steal logindata from sites. Captured data is transferred via FTP. - Use Kaspersky Anti-Virus 6.0 to delete the Trojan. Update yourantivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).
Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=21778127
Similar Virus/Threat >>
Trojan-Spy.Win32.KeyLogger.lb
This Trojan tracks the user's keystrokes. This Trojan is a Windows DLL file.It is 72,192 bytes in size. It is written in Delphi. InstallationThis Trojan will be installed on the victim machine by...
Trojan-Spy.Win32.Goldun.ms
This Trojan steals confidential data. It is a Windows PE EXE file. The Trojancomponents vary in size from 39 to 48KB.InstallationWhen launching, the Trojan extracts the following file from its...
Trojan-Spy.Win32.Tofger.aa
This Trojan tracks the user's keystrokes. This Trojan is a Windows DLL file.This file will be used by other Trojan programs which are designed to stealconfidential data. It is 3,072 bytes in...
Trojan-Spy.Win32.KeyLogger.e
This Trojan tracks the user's keystrokes, and is designed to steal confidentialinformation. It is a Windows PE EXE file. It is written in Visual Basic. Itis 920,576 bytes in size. It is packed...
Trojan-Spy.Win32.QQSpy.12.a
This Trojan is designed to steal confidential data. It is a Windows PE EXEfile. It is written in Delphi. It is 193,024 bytes in size.The Trojan creates the following system registry...
Trojan-Spy.Win32.KeyLogger.p
This Trojan tracks the user's keystrokes, and is designed to steal confidentialinformation. It is a Windows PE EXE file. It is 136,192 bytes in size. Itis not packed in any way. It is written in...
Trojan-Spy.Win32.KeyLogger.h
This Trojan tracks the user's keystrokes, and is designed to steal confidentialinformation. It is a Windows PE EXE file. It is 376,832 bytes in size. Itis not packed in any way. It is written in...
Trojan-Spy.Win32.PcGhost.413
This Trojan is designed to steal confidential data. It is a Windows PE EXEfile. It is written in Delphi. It is 275,456 bytes in size.InstallationThis Trojan will be installed to the victim...
Trojan-Spy.Win32.PcGhost.400
This Trojan is designed to steal confidential data. It is a Windows PE EXEfile. It is written in Delphi. It is 273,920 bytes in size.InstallationThis Trojan will be installed to the victim...
Trojan-Spy.Win32.PcGhost.340
This Trojan is designed to steal confidential data. It is a Windows PE EXEfile. It is written in Delphi. It is 241,152 bytes in size.InstallationThis Trojan will be installed to the victim...
Trojan-Spy.Win32.Dks.131.b
This Trojan logs the user’s keystrokes. It is a Windows PE EXE file.It is written in Visual C++. The file is 6,144 bytes in size. The file is packedusing UPX. The unpacked file is...
Trojan-Spy.Win32.Small.a
This Trojan is designed to intercept information entered via the keyboard.The program itself is a Windows PE EXE file. It is 4,096 bytes in size. Itis packed using UPX. The unpacked file is...
Trojan-Spy.Win32.Dks.131.a
This Trojan logs the user’s keystrokes. It is a Windows PE EXE file.It is written in Visual C++. The file is 6,144 bytes in size. The file is packedusing UPX. The unpacked file is...
Trojan-Spy.Win32.Banker.ckj
This Trojan intercepts confidential user data. It is a Windows PE EXE file,29KB in size, packed using MEW. The unpacked file is approximately 225KB insize.InstallationWhen launched, the Trojan...
Trojan-Spy.Win32.VB.oq
|
