Threat behavior
TrojanSpy:Win32/Keylogger.X is a trojan key logger that captures keystrokes and sends the captured data to remote servers.
Installation
This trojan may have been installed by
Worm:Win32/Soglueda.A. When executed, Worm:Win32/Soglueda.A
creates the following files on an affected computer:
Worm:Win32/Soglueda.A utilizes code injection in order to hinder detection and removal of the trojan code. When the worm executes, it injects the trojan code "winm.dll" into running processes, including the following, for example:
- cmd.exe
- csrss.exe
- explorer.exe
- winlogon.exe
Payload
Records keystrokes
The trojan key logger records keystrokes and window titles and reports them to a remote host. We have observed the trojan to contact the following remote hosts to send captured data using port 80:
- bi.aznaryespinosa.com.ar
- bits.aznaryespinosa.com.ar
- f.aznaryespinosa.com.ar
- nico.aznaryespinosa.com.ar
- servers.aznaryespinosa.com.ar
- muler.agusting.com.ar
- winupdate32.sytes.net
- 174.36.209.138
Changes Windows settings
The worm modifies the registry to change the default icon for files of type ".EXE" to appear as a text or document file as in the following example:
In subkey: HKLM\SOFTWARE\Classes\.exe
Sets value: "(default)"
With data: "exefile "
In subkey: HKLM\SOFTWARE\Classes\exefile
Sets value: "(default)"
With data: "aplicación"
In subkey: HKLM\SOFTWARE\Classes\exefile \DefaultIcon
Sets value: "(default)"
With data: "shell32.dll,2"
Disables programs from running
Worm:Win32/Soglueda.A deletes registry data that would execute device drivers and services at Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: " "
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: " "
Analysis by Vincent Tiu
Prevention
