|
Description:
To get a one-glance comprehensive view of the behavior of this spyware, refer to the Behavior Diagram shown below.
Spyware Overview
This spyware arrives on a system as an attachment to spammed email messages. A sample of the spammed email message is below:
The said attachment is an .RTF document containing an embedded executable file which is detected by Trend Micro as TSPY_MAHA.S. When a user opens the said attachment, the following message is displayed, tricking users into thinking that they need to click the icon in order to load the document:
Instead of loading a document, it drops an .EXE file and a component file in the Windows folder. Both files are also detected as TSPY_MAHA.S. It then injects the said component into the legitimate IEXPLORE.EXE process in order to open a hidden instance of Internet Explorer.
This spyware also disables Windows Firewall and Windows Firewall notification by creating certain registry entries.
It monitors all user activities on the affected system and saves the logs to a .HTML file. It also steals user account information used in certain applications. It also steals user account information when windows containing certain strings are opened on the affected system.
It then sends the stolen information via HTTP post to certain URLs.
This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
Moreover, this spyware is capable of downloading possibly malicious files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
It deletes files related to certain applications. As a result, these applications may not function properly.
|
Save & Share
