Win32/Spy.Usteal [Threat Name] go to Threat

Win32/Spy.Usteal.J [Threat Variant Name]

Category trojan
Size 157544 B
Detection created Jan 13, 2013
Detection database version 7889
Aliases Trojan.Win32.Inject.fadn (Kaspersky)
Short description

Win32/Spy.Usteal.J is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan may create copies of itself using the following filenames:

  • %appdata%\­%originalmalwarefilename%
  • %startup%\­%originalmalwarefilename%
  • %system%\­%originalmalwarefilename%
  • %temp%\­%originalmalwarefilename%
  • %windows%\­%originalmalwarefilename%

The trojan launches the following processes:

  • %windir%\­system32\­svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan quits immediately if it is run within a debugger.


The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • FileMon.exe
  • RegMon.exe

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • PROCEXPL
  • PROCMON
  • The Wireshark Network Analyzer
Information stealing

Win32/Spy.Usteal.J is a trojan that steals passwords and other sensitive information.


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information
  • operating system version
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • information about the operating system and system settings
  • computer name
  • user name
  • memory status
  • CPU information
  • list of disk devices and their type
  • list of computer users
  • list of running processes
  • computer IP address
  • the path to specific folders
  • current screen resolution

The following programs are affected:

  • Chromium
  • Comodo Dragon
  • CoolNovo
  • CoreFTP
  • FAR Manager
  • FileZilla
  • FlashFXP
  • Full Tilt Poker
  • Google Chrome
  • Google Talk
  • ICQ
  • IncrediMail
  • Internet Explorer
  • Mail.ru Agent
  • Miranda
  • Mozilla Firefox
  • Nichrome
  • Opera
  • Pidgin
  • PokerStars
  • Psi
  • QIP 2005
  • QIP Infium
  • Remote Service Access
  • RockMelt
  • Safari
  • SeaMonkey
  • SmartFTP
  • The Bat!
  • Thunderbird
  • Total Commander
  • World of Tanks
  • WS_FTP
  • Yandex

The following services are affected:

  • Terminal Server
  • Windows Live

The collected information is stored in the following file:

  • %temp%\­report-%variable1%-%variable2%-%variable3%.bin

A string with variable content is used instead of %variable1-3% .


The trojan attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The trojan may execute the following commands:

  • %comspec% /c del %malwarefilepath% >> NUL

The trojan may create the following files:

  • %temp%\­%variable4%

The files are then executed. A string with variable content is used instead of %variable4% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.