Win32/SandyEva [Threat Name] go to Threat

Win32/SandyEva.G [Threat Variant Name]

Category trojan
Size 24576 B
Detection created Apr 22, 2014
Detection database version 9707
Short description

Win32/SandyEva.G is a trojan which tries to download other malware from the Internet. The file is run-time compressed using Xtreme-Protector .

Installation

When executed, the trojan copies itself into the following location:

  • %allusersprofile%\­Application Data\­%filename%%fileext%

The %filename% is one of the following strings:

  • base
  • user
  • index
  • profile
  • system
  • data
  • config
  • init
  • boot
  • stat
  • cache
  • class
  • setup
  • network
  • wmi
  • com
  • app
  • svc
  • dde
  • xml
  • prov
  • mui

The %fileext% is one of the following strings:

  • .idx
  • .dat
  • .db
  • .bin
  • .cat

The following file is dropped into the %startup% folder:

  • %lnkfilename%.lnk

The %lnkfilename% consists of some of the following strings:

  • Microsoft
  • Windows
  • Update
  • Report
  • Mngr
  • Register
  • Help
  • Soft
  • Product
  • Service
  • Notify
  • Activate
  • License
  • Support
  • Prov
  • Sess
  • Tlnt
  • Event

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.

Information stealing

Win32/SandyEva.G is a trojan that steals sensitive information.


The trojan collects the following information:

  • volume serial number
  • CPU information
  • computer name
  • country code
  • information about the operating system and system settings
  • network adapter information
  • installed antivirus software
  • proxy server settings
  • malware version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses.


It tries to download a file from the addresses. The HTTP protocol is used.


The downloaded files contain encrypted executables.


The data is saved in the following file:

  • %currentfolder%\­fdbywu

After decryption the data is saved in the following files:

  • %currentfolder%\­%filename%.exe

The %filename% is one of the following strings:

  • win
  • updt
  • ntfy
  • wcs
  • net
  • mngr
  • task
  • host
  • wup
  • dll
  • chk
  • schd
  • wiz
  • con
  • fault
  • rep
  • lan
  • svc
  • ras
  • xml
  • dde
  • wmi
  • com
  • upgr

The file is then executed.


For further information follow the links below:


* Miniduke still duking it out

Please enable Javascript to ensure correct displaying of this content and refresh this page.