Home / malware Infostealer.Fightpos
First posted on 24 April 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Fightpos.
Explanation :
Once executed, the Trojan copies itself to following location:
%UserProfile%\Application Data\Microsoft\InternetExplorer.exe
The Trojan then drops the following files:
%Temp%\ActiveComponent.bat%Temp%\ActiveComponent.exe
It also creates the following file:
%UserProfile%\Start Menu\Programs\Startup\Shortcut to Internet Explorer.lnk
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft" = "%UserProfile%\Application Data\Microsoft\InternetExplorer.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ActiveControl" = "%Temp%\ActiveComponent.bat"
It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PATH OF THE ORIGINAL FILE]" = "[PATH OF THE ORIGINAL FILE]:*:Enabled: Microsoft"HKLM\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PATH OF THE ORIGINAL FILE]" = "[PATH OF THE ORIGINAL FILE]:*:Enabled: Microsoft"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%UserProfile%\Application Data/Microsoft/InternetExplorer.exe" = "%UserProfile%\Application Data\Microsoft\InternetExplorer.exe:*:Enabled: Microsoft"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UACDisableNotify" = "0"
The Trojan then opens a back door on the compromised computer and connects to te following remote location:
[http://]69.195.77.74/BrFighter/bot/comma[REMOVED]
The Trojan may then perform the following actions on the compromised computer:
Gather payment card information and send it to the attackerLog keystrokesDownload and execute filesLaunch denial-of-service attacksVisit websitesLast update 24 April 2015