MSIL/Spy.POSCardStealer [Threat Name] go to Threat

MSIL/Spy.POSCardStealer.A [Threat Variant Name]

Category trojan
Size 449227 B
Aliases Trojan-Spy.MSIL.Stealer.br (Kaspersky)
  TrojanSpy:Win32/Skeeyah.A!rfn (Microsoft)
  Infostealer.Centerpos (Symantec)
  Variant.MSILPerseus.1147 (BitDefender)
Short description

MSIL/Spy.POSCardStealer.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The trojan may register itself as a system service using the following name:

  • CenterPoint

This causes the trojan to be executed on every system start.

Information stealing

The trojan searches memory of running processes and tries to find following information:

  • credit card information

The trojan collects the following information:

  • computer name
  • installed antivirus software
  • user name
  • information about the operating system and system settings
  • CPU information
  • amount of operating memory
  • list of computer users
  • list of running processes

The trojan attempts to send gathered information to a remote machine.


Other information

The trojan acquires data and commands from a remote computer or the Internet.


Configuration is stored in the following file:

  • %currentfolder%\­mscorsv.nlp

The HTTP protocol is used in the communication.


It can execute the following operations:

  • uninstall itself
  • stop itself for a certain time period
  • execute shell commands
  • send gathered information

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sethc.exe\­debugger]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­osk.exe\­debugger]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­utilman.exe\­debugger]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­magnify.exe\­debugger]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­oks.exe\­debugger]

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Framework.NET\­GUID]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Framework.NET\­Mutex]

The trojan may display the following dialog windows:

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.