Home / malware Infostealer.Atimpo
First posted on 07 August 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Atimpo.
Explanation :
Once executed, the Trojan creates the following files:
%AllUsersProfile%\asfa\AppData\Roaming\atimpo.dat%AllUsersProfile%\asfa\AppData\Roaming\atimpc.dat%AllUsersProfile%\asfa\AppData\Roaming\atimpb.dat%System%\atimp.dll
The Trojan then creates services with the following properties:
Display names:
atimp1
atimp0Image path: %System%\svchost.exe -k netsvcsStartup type: Automatic
It then creates the following registry subkeys to register itself as services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atimp1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atimp0
The Trojan logs keystrokes on the compromised computer and stores them in the following location:
%AllUsersProfile%\asfa\AppData\Roaming\atimpo.dat
The Trojan may then send the stolen data to a remote location.Last update 07 August 2015