Home / malware Infostealer.Kegotip
First posted on 18 February 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Kegotip.
Explanation :
The Trojan may be downloaded and installed on the compromised computer by the following malware:
Downloader.Upatre
Once executed, the Trojan creates the following files:
%Temp%\MSWQ[RANDOM CHARACTER FILE NAME].tmp%UserProfile%\dotrudtegibd.exe
The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system32\"svchost.exe" = "%System%\svchost.exe:*:Enabled:Microsoft Office"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"VendorId" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dotrudtegibd" = "%UserProfile%\dotrudtegibd.exe"
It also creates the following registry subkey:
HKEY_CURRENT_USER\Software\Stqbckeeiwwaw
The Trojan steals user credentials from the following software programs:
SecureFXFTP RushUltraFXPALFTPFTP CommanderFTP NavigatorTurboFTPSmartFTPWS_FTPFileZillaFar ManagerTotal CommanderGlobalSCAPE Software
The Trojan may also gather email addresses from files on the compromised computer, excluding those with the following extensions:
.rar.zip.cab.avi.mp3.jpg.gif
It then sends the stolen information to the following remote location:
64.79.90.82Last update 18 February 2015
