Home / malware Infostealer.Gocotoya
First posted on 18 April 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Gocotoya.
Explanation :
The Trojan may arrive on the compromised computer through malicious links delivered through Steam chat.
The Trojan copies itself to the following location and replaces the previous file:
[STEAM DIRECTORY]\Steam.exe
Note: [STEAM DIRECTORY] is the directory where Steam is installed.
The Trojan renames the original [STEAM DIRECTORY]\Steam.exe file to the following file name:
[STEAM DIRECTORY]\steam.old
The Trojan executes the following file, which is now malicious:
[STEAM DIRECTORY]\Steam.exe
The Trojan displays a fake login screen.
The Trojan steals any credentials entered in the fake login screen.
The Trojan may also steal cookies and credentials saved in the following browsers:
Google ChromeChromiumComodo DragonTorchYandex BrowserOperaOrbitumAmigoQIP SurfSleipnirCitrio
The Trojan sends the stolen information to the following remote location:
[http://]188.120.255.114/auth[REMOVED]Last update 18 April 2015
