Home / malware Trojan:Win32/Refeys.A
First posted on 23 April 2013.
Source: MicrosoftAliases :
Trojan:Win32/Refeys.A is also known as Trojan/Win32.PornoAsset (AhnLab), TR/Refeys.A (Avira), BackDoor.Chimerka.1 (Dr.Web), Trojan-PWS.Win32.Fareit (Ikarus), PWS-Zbot.gen.ary (McAfee), Troj/Rorpian-BK (Sophos).
Explanation :
Installation
When run, this trojan opens Wordpad without your knowledge. It then injects its code into Wordpad to avoid detection by your security software. Other samples of this trojan might also open Internet Explorer without your knowledge and inject its code there.
It might create a copy of itself in your computer as "%USERPROFILE%\temp\7.tmp.exe".
It creates the following entry in your system registry so that it automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "MicrosoftUpdate"
With data: "%USERPROFILE%\temp\7.tmp.exe"
Payload
Steals computer information
It gathers the following information about your computer:
- User name of the currently logged-on user
- Your computer name
- What version of Windows your computer has
- What timezone your computer is in
- Whether you have access to a Smart card
It also runs a module that logs keystrokes and gets screenshots.
It then sends the information to any of the following websites:
- zcoxe.org
- cxeoh.org
- oexvc.org
- kecex.org
- czexf.org
- fexkc.org
- xcfse.org
- axcre.org
- ecxka.org
- zbexc.org
- czexk.org
- ecxrb.org
- xbekc.org
- cxerh.org
- rexvc.org
- evkxc.org
- vecxh.org
- xvsec.org
- oehxe.org
- xfezo.org
Analysis by Jeong Mun
Last update 23 April 2013
