Backdoor:Win32/Gspy.A is a trojan that steals sensitive data and allows unauthorized access and control of an affected computer.
Installation
Backdoor:Win32/Gspy.A drops and executes a copy of itself in the Windows folder with a random file name, such as any of the following:
- avosq.exe
- bllvs.exe
- bumbl.exe
- cyqdu.exe
- nisaz.exe
- oalrd.exe
- uxyna.exe
- zhepo.exe
It adds an entry to the following registry key to ensure that its copy executes at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Backdoor:Win32/Gspy.A also creates a mutex, such as any of the following:
- Global\E5A7E37DD0BC231DE498ED8F7E5834A34E6F81D845E2003A
- Global\F4134A9FB27BD39FB6DE35CEDF35DAA03A5A69E05BD950D1
- Global\EEB43EA5BA8A78EB1C70390EE09674A465A19F87D2E7FBD7
- Global\A44D0DDC032F97FECAC352B3DF35DAA03A5A69E05BD950D1
- Global\B6EE81F1EBDE349280115673E09674A465A19F87D2E7FBD7
It injects code into the following processes in order to hinder detection and removal:
- csrss.exe
- explorer.exe
- lsass.exe
- services.exe
- svchost.exe
- winlogon.exe
It may also create a DAT file in the %appdata% folder as part of its installation process. The file contains configuration information for the malware's installation and has a name that follows the format "<14-digit hex string>.DAT". Some examples we have observed in the wild are the following:
- ebb22cb7bbb66d.dat
- e0a7f16fc18402.dat
- f1135889a345d2.dat
Payload
Allows backdoor access and control
Backdoor:Win32/Gspy.A allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Gspy.A. This could include, but is not limited to, the following actions:
- Delete files
- Download and execute arbitrary files
- Modify system settings
- Request a screenshot
- Run or terminate applications
- Upload files
Some of the servers it may connect to and download files from includes the following:
- 4429<removed>EC38BD3D09.info
- ggop<removed>kdlll.ru
- nisp<removed>.ru
Steals user credentials
Backdoor:Win32/Gspy.A steals user name and password information for the following applications:
- BulletProof FTP
- ExpanDrive
- FlashFXP
- FTP Rush
- IncrediMail
- LeapFTP
- NetDrive
- PocoMail
- Pop Peeper
- SmartFTP
- The Bat!
- Vypress Auvis
- Windows Commander
- Windows Live Mail
- WinSCP
- WS_FTP
Analysis by Mihai Calota
