Home / malware TrojanDownloader:Win32/Spycos.B
First posted on 05 May 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Spycos.B is also known as TrojanDownloader:Win32/Damec.B (other), TrojanDownloader:Win32/Banload.AED (other).
Explanation :
TrojanDownloader:Win32/Spycos.B is a trojan that attempts to download arbitrary files, if the Windows operating system locale is set to Portuguese. The trojan attempts to lower Windows security and terminate security software.
Installation
When run, this trojan drops a copy of the malware as the following:
- %TEMP%\60120120148.cpl
It modifies a Windows configuration file named "win.ini" to run the malware when Windows starts, as in the following example:
[File]
Run=C:\Temp\60120120148.cpl
The "win.ini" configuration file is not used and is otherwise ignored in Windows Vista and higher versions of the Windows operating system.
Payload
Lowers Windows security
The malware attempts to disable Windows User Account Controls (UAC) notifications by modifying registry data.
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Terminates security software
This trojan attempts to terminate certain security software. In one sample, the malware targeted AVG and Avast antivirus products. After terminating certain processes or services, the trojan attempts to delete related files to compromise the installed application.
Downloads arbitrary files
If the Windows operating system default language is set to "Portuguese", TrojanDownloader:Win32/Spycos.B attempts to connect with certain remote servers, using HTTP protocol, to download arbitrary files. In one sample, the malware attempted to download a cabinet archive file (.CAB) and store it in the Temporary files folder. The CAB file was extracted and used to replace certain already-installed Java components.
Analysis by Jim Wang
Last update 05 May 2012
