Home / malwarePDF  

Infostealer.Flasfod


First posted on 30 April 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Flasfod.

Explanation :

When the Trojan is executed, it copies itself to the following location:
%ProgramFiles%\Outlook Express\msinm.exe
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\"FirstRun" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\GetInf\"pid" = "Encoded threat's filename"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msinm.exe" = "%ProgramFiles%\Outlook Express\msinm.exe"
The Trojan creates the following file and writes the current system time to it:
%Windir%\FILETIME.DAT
The threat queries the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Parameters\ServiceDll registry value and saves the results in the following location:
%Windir%\$NtUninstallKB885884$\Info.txt
The Trojan steals the following information from the Windows Address Book:
UsernameNicknameEmail addressContact type

The Trojan saves this information in the following location:
%Windir%\$NtUninstallKB885884$\Info.txt
The Trojan obtains a list of file extensions to target from the following location:
%Windir%\FILETYPE.INI
Note: If the %Windir%\FILETYPE.INI file does not exist on the compromised computer, the threat will target the following extensions:
.doc.docx.ldf.max.pdf.pgp.rhs.rtf.tif.wpd
The Trojan creates then creates the following folders:
%Windir%\$NtUninstallKB885884$%Windir%\$NtUninstallKB885884$\FlashFiles%Windir%\$NtUninstallKB885884$\LastFiles%Windir%\$NtUninstallKB885884$\RecentFiles
The Trojan parses shortcut (.lnk) files from the compromised user's "My Recent Documents" folder and obtains the files that the .lnk files point towards.

The Trojan checks the extensions on these files against its target extension list, and if there is a match, it compresses the files and copies them to the following location:
%Windir%\$NtUninstallKB885884$\RecentFiles
The Trojan scans connected drives, and the Desktop, Temporary Internet Files, and Temp directories for files on the target extension list, and if there is a match, it compresses the files and copies them to the following location:
%Windir%\$NtUninstallKB885884$\LastFiles
The Trojan scans whole drives of less than 2,500,000,000 bytes for files on the target extension list, and if there is a match, it compresses the files and copies them to the following location:
%Windir%\$NtUninstallKB885884$\FlashFiles
Note: If the Trojan finds any files in the $LDDATA$ or RECYCLED directories it will copy the file directly without compressing it and delete the original file.

The Trojan scans the $LDDATA$ and RECYCLED directories of drives greater than 2,500,000,000 bytes for files on the target extension list and copies them without compressing them to the following location and then deletes the original files:
%Windir%\$NtUninstallKB885884$\FlashFiles
The Trojan saves the details of the scan in the following location:
%Windir%\$NtUninstallKB885884$\OtherInfo.txt

Last update 30 April 2015

 

TOP