Home / malware Trojan.Rapidstealer
First posted on 15 May 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Rapidstealer.
Explanation :
The Trojan may arrive packaged with the following VPN applications:
UltrasurfGerdooVPNPsiphon
When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\IntelRapidStart\DelphiNative.dll %UserProfile%\Application Data\IntelRapidStart\IntelRS.exe.config %UserProfile%\Application Data\IntelRapidStart\AppTransferWiz.dll %UserProfile%\Application Data\IntelRapidStart\IntelRS.exe %UserProfile%\Application Data\IntelRapidStart\RapidStartTech.stl
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"IntelRapidStart"=%UserProfile%\Application Data\IntelRapidStart\IntelRS.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IntelRapidStart"=%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe
The Trojan may steal the following information from the compromised computer:
ScreenshotsKey logsClipboard dataComputer nameUser nameInstalled applicationsIP addressOpen portsLanguage settingsProcess listsUser credentials stored in Chrome, Firefox, Opera, and Internet ExplorerBookmarks stored in Chrome, Firefox, Opera, and Internet ExplorerCookies stored in Chrome, Firefox, Opera, and Internet ExplorerBrowsing history for Chrome, Firefox, Opera, and Internet ExplorerProxy settings for Chrome, Firefox, Opera, and Internet ExplorerUser credentials for Gtalk, Pidgin, Skype, and Yahoo MessengerUser credentials for Proxifier
The Trojan uploads the stolen information to one of the following servers:
intel-update.comultrasms.iraccount-verify.netsecure.sitanetwork.tk88.150.227.197windows.update-mirror.com
The Trojan can download updates of itself from the previously mentioned servers.Last update 15 May 2014
