Home / malwarePDF  

Trojan.Spymel


First posted on 08 January 2016.
Source: Symantec

Aliases :

There are no other names known for Trojan.Spymel.

Explanation :

When the Trojan is executed, it may create the following files:
%UserProfile%\Application Data\ProgramFiles(32.1)\svchost.exe%UserProfile%\Application Data\ProgramFiles(32.1)\svchost.exe.tmp%UserProfile%\Start Menu\Programs\Startup\Startup32.1.exe%AppData%\Roaming\ProgramFiles(32.1)\svchost.exe%AppData%\Roaming\ProgramFiles(32.1)\svchost.exe.tmp%AppData%\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Startup32.1.exe
The Trojan may create the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\AppPath\"%UserProfile%\Application Data\ProgramFiles(32.1)\svchost.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSidebar(32.1) hex:02,00,00,00,00,00,00,00,00,00,00,00,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\Startup32.1.exe hex:02,00,00,00,00,00,00,00,00,00,00,00,
The Trojan may log keystrokes on the compromised computer and send the stolen information to the following remote location:
213.136.92.111

Last update 08 January 2016

 

TOP