|
Description:
Trend Micro threat researchers post findings and analyses on various threats in real-time at the Malware Blog. Users can find more information about this specific threat here. |
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Spyware Overview
This spyware arrives as a file downloaded from a certain URL.
Upon execution, this spyware drops a copy of itself in the system folder. It then appends extra codes at the end of file of the dropped copy to avoid easy detection.
It modifies a registry entry to enable its automatic execution at system startup. This spyware injects itself into a legitimate process as part of its memory residency routine.
It creates a folder with attributes System and Hidden. This spyware then creates non-malicious files. It gathers information by logging user keystrokes.
This spyware connects to a Web site to download an encrypted configuration file. The downloaded file contains a list of targeted bank-related Web sites to monitor from which it steals information. Note that the list may change anytime.
This spyware steals sensitive information, such as user name and password and saves it in the file %System%\wsnpoem\audio.dll. This routine risks the exposure of sensitive information, which may then lead to the unauthorized use of the stolen data. It then sends the file %System%\wsnpoem\audio.dll to http://{BLOCKED}ruspolice.com/other/s.php via HTTP POST.
It modifies the system's HOSTS files to prevent users from accessing a certain Web site. It also hides files and processes. It checks for the presence of the following processes which are related to popular firewall applications.
|
Save & Share
