Home / malware Infostealer.Retgate
First posted on 21 August 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Retgate.
Explanation :
The Trojan may arrive through email.
When the Trojan is executed, it creates the following file:
%AppData%\SubFolder\SubFolder\winlogon.exe
The Trojan modifies the following file:
%AllUsersProfile%\Mozilla\Firefox\prefs.js
Note: In prefs.js, the Trojan adds the following settings:
user_pref("network.http.spdy.enabled.v3", false)user_pref("network.http.spdy.enabled.v3-1", false)user_pref("network.http.spdy.enabled", false)
The Trojan then modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"EnableSPDY3_0" = "0"
The Trojan injects itself into the following processes:
outlook.exefirefox.exechrome.exeiexplore.exe
The Trojan may then steal usernames and passwords from Outlook and visited websites before it is encrypted and sent out to the network (hooked APIs).
The Trojan sends stolen information to the following remote location:
[http://]www.securemediaserver.net/ret/gat[REMOVED]Last update 21 August 2014