sobota 25. února 2012

TrojanSpy:Win32/SSonce.C


Encyclopedia entry
Updated: Jan 25, 2012  |  Published: Jan 25, 2012

Aliases
  • Sus/UnkPacker (Sophos)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.227.0
Released: Feb 23, 2012
Detection initially created:
Definition: 1.119.55.0
Released: Jan 18, 2012


 

Summary

TrojanSpy:Win32/SSonce.C is a trojan that collects sensitive information for an attacker.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
  • <system folder>\update.exe 

  • The presence of the following registry modifications:
  • Adds value: "Update.exe"
    With data: "c:\windows\system32\update.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run



 

Technical Information (Analysis)

TrojanSpy:Win32/SSonce.C is a trojan that collects sensitive information for an attacker.
Installation
When executed, TrojanSpy:Win32/SSonce.C copies itself to <system folder>\update.exe.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Update.exe"
With data: "c:\windows\system32\update.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Payload
Contacts remote host
TrojanSpy:Win32/SSonce.C may contact a remote host at fahad-1998.no-ip.org using port 1515. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA12203f126c389d01c2978a73df114e7c3541f2e2d.

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.