MSIL/Spy.Netpune [Threat Name] go to Threat

MSIL/Spy.Netpune.A [Threat Variant Name]

MSIL/Spy.Netpune.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

When executed, the trojan copies itself into the following location:

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "(Default)" = "%appdata%\explorer.exe"

MSIL/Spy.Netpune.A is a trojan that steals sensitive information.

The trojan collects the following information:

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

The trojan sends the information via e-mail. The SMTP protocol is used.

The trojan may execute the following commands:

Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
C:\Windows\System32\ΕΘακΩΖΕΨ.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

The trojan blocks execution of some programs.

The following programs are affected:

The trojan may set the following Registry entries:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
- "DisableCMD" = "2"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System ]
- "DisableTaskMgr" = "1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoRun" = "1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoViewContextMenu" = "1"

The trojan can modify the following file:

The trojan writes the following entries to the file, effectively disabling access to the specific Internet sites:

A string with variable content is used instead of %variablewebsite% .

It can execute the following operations:

Trojan requires the Microsoft .NET Framework to run.