Home / malware Trojan.Snifula.F
First posted on 12 July 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Snifula.F.
Explanation :
Once executed, the Trojan drops the following file:
%AllUsersProfile%\Application Data\[RANDOM FILE NAME]\[RANDOM FILE NAME].dat
The original malicious file then deletes itself from the compromised computer.
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM FILE NAME]" = "regsvr32.exe %AllUsersProfile%\Application Data\[RANDOM FILE NAME]\[RANDOM FILE NAME].dat\"
It also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = "DWORD:3"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"TabProcGrowth" = "DWORD:0"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" = "DWORD:1"
The Trojan creates the following registry entries to force installed security software to run under restricted privileges:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{GUID}\"ItemData" = "[SECURITY SOFTWARE PATH]"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{GUID}\"SaferFkags" = "0"
The Trojan may then perform the following actions:
Inject malicious code into Explorer.exeSteal user names and passwords from various FTP clients such as WS_FTP, CuteFTP, Far2, FlashFXP, BPFTP, and FTPExplorerSteal credentials saved in Web browsersSteal digital certificatesInject malicious code into Web browsers in order to steal confidential information from Web formsSteal account information from Outlook and Windows MailOpen a back door allowing an attacker to access the compromised computerUse the webcam to record videoUse the microphone to record audioDisable the SPDY open networking protocolLast update 12 July 2014
