Home / malwarePDF  

Infostealer.Steem


First posted on 24 May 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Steem.

Explanation :

When the Trojan is executed, it creates the following files: %UserProfile%\Application Data\Microsoft FxCop\wmiApSrv.exe%UserProfile%\Application Data\Skype\vrfauto.exe
Next, the Trojan creates the following registry entry so that it loads every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Application Identity" = "%UserProfile%\Application Data\wmiApSrv.exe"

The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"Windows Application Verifier Automation" = "%UserProfile%\Application Data\Skype\vrfauto.exe"

The Trojan may then gather login credentials from the following services:FileZillaTrillianjDownloaderWindows Live MailOutlook Express Microsoft OutlookIncrediMailEudoraPidGinMozilla Thunderbird Yahoo MailHotmail (if the password is saved in the Windows Live Messenger application)Gmail (if the password is saved in Google Talk, Google Desktop or the Gmail Notifier application)Saved passwords in Internet Explorer, FireFox and Chrome
The Trojan then sends this information to the following remote location:
preshie1fk.comoj.com

Last update 24 May 2014

 

TOP