Technical Details
The trojan belongs to the family that steals user passwords. It is a Windows application (PE EXE-file). Its size is 348,360 bytes. It is packed using MoleBox. Its unpacked size is about 368 KB. It is written in C++.
Payload
Once launched, the trojan reads a configuration file from resources. Then, accordingly to the read settings, it performs actions shown below.
The trojan has anti-debugging and anti-dynamic analysis protection. The trojan exits if windows with the following classes are observed:
PROCMON_WINDOW_CLASS
gdkWindowToplevel
The trojan steals personal data and account information of the following applications and services:Microsoft Passport.Net
Google Talk
Trillian
Pidgin
Paltalk
Steam Valve
No-Ip Duc
DynDNS
Mozilla Firefox
Internet Explorer 7/8
Google Chrome
Opera
Internet Download Manager
FileZilla
FlashFXP
SmartFTP
CuteFTP Lite
CuteFTP Home
CuteFTP Pro
The trojan sends stolen data to the following URL:http://www.ma***akings.com
At the moment of writing, the link didn’t work.
After this, the trojan terminates.
Also, the trojan creates the file:
%WorkDir%\<trojan-filename>-up.txt
It contains a log file produced by the program protecting the trojan.Removal instructions
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
- Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
- Delete the file:
%WorkDir%\<trojan-filename>-up.txt
Žádné komentáře:
Okomentovat