Home / malware Trojan:Win32/Scimstal.A
First posted on 07 September 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Scimstal.A is also known as W32/Banker.FMQQ (Norman), Win32/Swarft.B (CA), Trojan.Inject.8954 (Dr.Web), Win32/Agent.RIZ (ESET), Troj/Bdoor-AZG (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), Trojan.ADH (Symantec).
Explanation :
Trojan:Win32/Scimstal.A is a trojan that downloads additional malware onto the infected computer.
Top
Trojan:Win32/Scimstal.A is a trojan that downloads additional malware onto the infected computer. Installation When executed, Trojan:Win32/Scimstal.A launches €œ%program_files%\internet explorer\iexplore.exe€ in suspended mode and injects its main malicious code into the memory space of this process. The trojan then creates the following registry entries in order to load the malicious file it downloads as a service: Adds value: "ImagePath" With data: ""\??\<system folder>\drivers\viddev.inf" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\viddev Adds value: "Start" With data: "0x1" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\viddev Adds value: "Type" With data: "0x1" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\viddev Adds value: "ErrorControl" With data: "0x0" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\viddev Adds value: "Data" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\viddev Payload Downloads and executes files Trojan:Win32/Scimstal.A tries to contact the domain €œmisc-auctions.com€ in order to download a driver, saving it to the file location <system folder>\drivers\viddev.inf. At the time of writing, the file was not available. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Analysis by Amir FoudaLast update 07 September 2010
