Home / malware Infostealer.Dyranges
First posted on 18 June 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Dyranges.
Explanation :
When the Trojan is executed, it creates the following files: C:\Documents and Settings\All Users\Application Data\googleupdaterr.exeC:\Documents and Settings\All Users\Application Data\userdata.dat
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"GoogleUpdate" = "C:\Documents and Settings\All Users\Application Data\googleupdaterr.exe"
The Trojan periodically connects to the following remote location:
[http://]192.99.6.61/cho1017/W512600.52818BB853DEE114E367C21952160412/5/publ[REMOVED]
Next, the Trojan checks the URL in the Web browser for online banking services and intercepts traffic between the user and these sites.
The Trojan may then steal user names and passwords inputted into these sites' login forms and send them to the following remote locations: 85.25.148.6:1259185.25.148.6:3819185.25.148.6:6379185.25.148.6:2385685.25.148.6:49456Last update 18 June 2014