Home / malware Infostealer.Progsilog
First posted on 11 April 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Progsilog.
Explanation :
The Trojan arrives on the compromised computer as an object inside a Word document attached to an email.
When the Trojan is executed, it creates the following files:
%UserProfile%\Local Settings\Temp\tempscr.jpg%UserProfile%\Local Settings\Temp\proclog.log
The Trojan drops a .pdf file in the following location:
%UserProfile%\kirova.pdf
The Trojan opens this file, using the default PDF reader, as a decoy.
The Trojan checks the hostname and IP address substring of the compromised computer against its own list. If any matches are found, it deletes itself from the compromised computer.
The Trojan checks process names and registry entries against its own list of items related to virtual machines, sandboxes, and analysis tools. If any matches are found, it deletes itself from the compromised computer.
The Trojan may steal files with the following extensions:
.txt.docx.doc.xlsx.xls.zip.rar.7z
The Trojan may steal files with the following strings in the file name:
parolemaile-mailloginhosting.nic.rutimeweb
The Trojan may steal files without the following strings in the file name:
uds_hosting.txtgetLoginStatus.txtLoginForm.zipfb_login.zipxmpp_login.zipEmailShield.txtphone_login_icon.zipTHIRDPARTYLICENSEREADME.txtThirdPartyNotices.txtThirdPartyCopyrightNotices.txtTHIRDPARTYLICENSEREADME-JAVAFX.txtphone_login_images.zip
The Trojan sends the stolen files to the following location:
[http://]plantsroyal.org/loade[REMOVED]
The Trojan may download and execute potentially malicious files from the following URL:
[http://]plantsroyal.org/css/salom[REMOVED]
The malicious file may be saved in the following location:
%UserProfile%\AdobeSystem.exe
The Trojan may create the following registry load point for the downloaded file:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\AdobeUpdate=%UserProfile%\AdobeSystem.exe
The Trojan may send emails to the following email address:
[REMOVED]@plantsroyal.org
Note: Emails to this address may include the following attachments:
tempscr.jpgproclog.logLast update 11 April 2015
