MSIL/Spy.Netpune [Threat Name] go to Threat
MSIL/Spy.Netpune.A [Threat Variant Name]
Category | trojan |
Size | 128512 B |
Aliases | Trojan.MulDrop4.31614 (Dr.Web) |
Short description
MSIL/Spy.Netpune.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\explorer.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "(Default)" = "%appdata%\explorer.exe"
Information stealing
MSIL/Spy.Netpune.A is a trojan that steals sensitive information.
The trojan collects the following information:
- screenshots
- user name
- computer name
- operating system version
- Windows product key
- amount of operating memory
- data from the clipboard
The trojan is able to log keystrokes.
The trojan attempts to send gathered information to a remote machine.
The trojan sends the information via e-mail. The SMTP protocol is used.
Other information
The trojan may execute the following commands:
- Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
- Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
- Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
- C:\Windows\System32\ΕΘακΩΖΕΨ.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
The trojan blocks execution of some programs.
The following programs are affected:
- cmd.exe
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
- "DisableCMD" = "2"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ]
- "DisableTaskMgr" = "1"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoRun" = "1"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoViewContextMenu" = "1"
The trojan can modify the following file:
- %windir%\system32\drivers\etc\hosts
The trojan writes the following entries to the file, effectively disabling access to the specific Internet sites:
- 127.0.0.1 %variablewebsite%
A string with variable content is used instead of %variablewebsite% .
It can execute the following operations:
- delete cookies
- display a dialog window
- download files from a remote computer and/or the Internet
- run executable files
Trojan requires the Microsoft .NET Framework to run.