Home / malwarePDF  

Trojan:Win32/Misector.B


First posted on 22 November 2011.
Source: SecurityHome

Aliases :

Trojan:Win32/Misector.B is also known as Sus/Behav-1021 (Sophos), Trojan.StartPage.G (Symantec).

Explanation :

Trojan:Win32/Misector.B is a trojan that attempts to capture and save strings in memory as a ZIP archive file. The trojan sends the archive file to a remote server for collection by an attacker. Stolen data could include financial transaction details such as credit card numbers.


Top

Trojan:Win32/Misector.B is a trojan that attempts to capture and save strings in memory as a ZIP archive file. The trojan sends the archive file to a remote server for collection by an attacker. Stolen data could include financial transaction details such as credit card numbers.



Installation

Trojan:Win32/Misector.B is installed by another process, or by an attacker with either physical or remote access to the affected computer, and when installed, the trojan is present as the following file:

  • %windir%\svchost.exe


The malware runs as a service named "Distributed Process Handler".



Payload

Steals data
Trojan:Win32/Misector.B enumerates processes to locate a process named "frontend.exe". Once located, the malware opens and hooks the process and attempts to read all readable memory in the process. The trojan searches for strings matching the following characteristics:

  • <16 digits>=
  • B<16 digits>
  • b<16 digits>


The format of the data suggests the malware is monitoring for 16 digit credit card numbers. Data is saved in a ZIP archive file having the following format:

  • <retailer name><char><char><month>.<day>.zip (example: tigerfoodlv11.16.zip)


The file is sent to a specified email address for collection by an attacker, using a website "api.sendspace.com". In the wild, the trojan was observed to use the email address "valeristar" @e1.ru.

Additional information

An account is required to use the website "api.sendspace.com", which also includes use of an API key that is connected to a registered user.

Last update 22 November 2011

 

TOP