Win32/Spy.Usteal [Threat Name] go to Threat

Win32/Spy.Usteal.C [Threat Variant Name]

Category trojan
Size 25088 B
Short description

Win32/Spy.Usteal.C is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .

Installation

The trojan may create copies of itself using the following filenames:

  • %appdata%\­%originalmalwarefilename%
  • %startup%\­%originalmalwarefilename%
  • %system%\­%originalmalwarefilename%
  • %temp%\­%originalmalwarefilename%
  • %windows%\­%originalmalwarefilename%

The trojan quits immediately if it is run within a debugger.


The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • FileMon.exe
  • RegMon.exe

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • PROCEXPL
  • PROCMON
  • The Wireshark Network Analyzer
Information stealing

Win32/Spy.Usteal.C is a trojan that steals passwords and other sensitive information.


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information
  • operating system version
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • information about the operating system and system settings
  • computer name
  • user name
  • memory status
  • CPU information
  • list of disk devices and their type
  • list of computer users
  • list of running processes
  • computer IP address
  • the path to specific folders
  • current screen resolution
  • external IP address of the network device

The following programs are affected:

  • CoreFTP
  • FAR Manager
  • FileZilla
  • FlashFXP
  • Full Tilt Poker
  • Google Chrome
  • Google Talk
  • ICQ
  • IncrediMail
  • Internet Explorer
  • Mail.ru Agent
  • Miranda
  • Mozilla Firefox
  • Opera
  • Pidgin
  • PokerStars
  • Psi
  • QIP 2005
  • QIP Infium
  • Remote Service Access
  • Safari
  • SeaMonkey
  • SmartFTP
  • Terminal Server credentials
  • The Bat!
  • Thunderbird
  • Total Commander
  • Windows Live ID
  • WinSCP
  • World of Tanks
  • WS_FTP

The following services are affected:

  • Terminal Server
  • Windows Live

The collected information is stored in the following file:

  • %temp%\­report-%variable1%-%variable2%-%variable3%.bin

A string with variable content is used instead of %variable1-3% .


The trojan attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The trojan may execute the following commands:

  • %comspec% /c del %malwarefilepath% >> NUL

The trojan may create the following files:

  • %temp%\­%variable4%

The files are then executed. A string with variable content is used instead of %variable4% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.