Home / malwarePDF  

Infostealer.Spasip


First posted on 15 April 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Spasip.

Explanation :

Once executed, the Trojan creates the following files:
%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\VFP6.EXE%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\Info.txt%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf\ldmap.txt%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf\ldsysinfo.txt%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\KB947652-ver.log%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\~ld.exe%AllUsersProfile%\Start Menu\Programs\Startup\VFP6.lnk
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ShipTr\"lnk" = "WGQ7/mol"
The Trojan then creates a list of files and folders on the compromised computer and saves it to the following location:
%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf\ldmap.txt
Next, the Trojan gathers the following information from the compromised computer:
Operating system versionIP address Host nameList of processesLocal name, remote name, and provider
The Trojan saves the gathered information to the following location:
%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf\ldsysinfo.txt
The Trojan then searches the following locations for files with specific file extensions:
%UserProfile%\Desktop %UserProfile%\My Documents
The Trojan searches for files with the following extensions:
.doc.docx.pdf.tif.pgp.rtf.max.rhs.wpd
The Trojan also checks .lnk files found in the following location, searching for files with the listed extensions:
%UserProfile%\Recent
The Trojan copies any files it finds to the following location:
%UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf
If any removable drives are connected to the compromised computer, the Trojan will perform the following actions:
If the file %DriveLetter%\XP-Update\KB863113-ld.log is present on the removable drive, the Trojan will copy it to %UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\~ld.exe and then execute itIf the file %DriveLetter%\msdn\KB947652-ver.log is present on the removable drive, the Trojan will copy it to %UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\KB947652-ver.logThe Trojan will then create the following folder on the removable drive: %DriveLetter%\Recycled\[HOST NAME] The Trojan will then copy the files from the following location and place them in the newly created directory: %UserProfile%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf

Last update 15 April 2015

 

TOP