Home / malware Infostealer.Mysayad
First posted on 15 July 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Mysayad.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\Client\DiagnosticsService.dll%UserProfile%\Application Data\Client\sqlite3.dll%UserProfile%\Application Data\Client\[RANDOM FILE NAME].dll%UserProfile%\Application Data\Client\base.dll%UserProfile%\Application Data\Microsoft\Windows\Storage\[RANDOM FILE NAME].[RANDOM THREE LETTER FILE EXTENSION]
It then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"DiagnosticsService" = "rundll32.exe %UserProfile%\Application Data\Client\DiagnosticsService.dll" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[STRING FROM CONFIGURATION FILE]" = "rundll32.exe %UserProfile%\Application Data\Client\DiagnosticsService.dll,[STRING FROM CONFIGURATION FILE]"
The Trojan may then steal the following information from the compromised computer:
KeystrokesScreenshotsComputer nameUser namePublic and internal IP addressesTime zoneLanguage settingsList of open portsList of processesList of installed applicationsUser credentials stored in Chrome, Firefox, and OperaBookmarksCookiesBrowsing historyProxy settings for Chrome, Firefox, and Opera
The Trojan may also steal user credentials for the following applications:
GTalkPidginSkypeYahoo MessengerProxifierFileZillaWinscpPuttyRemote DesktopKerio
The Trojan stores the stolen information in the following location:
%UserProfile%\Application Data\Microsoft\Windows\Storage\[RANDOM FILE NAME].[RANDOM THREE LETTER FILE EXTENSION]
The Trojan may then send the stolen information to one of the following remote locations:
5.144.129.2210o0o0o0o0.com
The Trojan can also preform the following actions:
Download updatesWipe itself from the compromised computerLast update 15 July 2014
