Home / malware TrojanSpy:Win32/Ploscato.G
First posted on 17 November 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Ploscato.G.
Explanation :
Threat behavior
Installation
This threat creates the following file on your PC:
- %windir% \help\winvnc32.chm
It creates the following mutex:
- ID276
Payload
Steals your bank and credit card numbers
This threat searches your PC memory for bank and credit card numbers.
To do this it enumerates any running processes from the system.
Any banking details that are found are saved along with your computer's IP address PC to the following file:
- %windir% \help\winvnc32.chm
It avoids reading the processes of the following executable files:
- chrome.exe
- conhost.exe
- csrss.exe
- ctfmon.exe
- explorer.exe
- firefox.exe
- lsass.exe
- mdm.exe
- RegSrvc.exe
- sched.exe
- services.exe
- smss.exe
- spoolsv.exe
- svchost.exe
- System
- taskmgr.exe
- wininit.exe
- winlogon.exe
- wmiprvse.exe
Additional information
The malware also includes messages that call for an end to the "US anti-world campaign".
Analysis by James Dee
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%windir%\help\winvnc32.chmLast update 17 November 2014
