Home / malware TrojanDownloader:Win32/Spycos.R
First posted on 17 October 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Spycos.R is also known as Trojan/Win32.Banload (AhnLab), W32/Banload.CCZX (Norman), Trojan horse Downloader.Banload.CCXS (AVG), Trojan.PWS.Banker1.5066 (Dr.Web), Win32/TrojanDownloader.Banload.RMW trojan (ESET), Trojan-Downloader.Win32.Banload (Ikarus), Trojan-Downloader.Win32.Banload.byvm (Kaspersky), PWS-Banker!hf3 (McAfee), Mal/Bancos-BM (Sophos), TROJ_SPNR.15JC12 (Trend Micro).
Explanation :
TrojanDownloader:Win32/Spycos.R is malware that downloads and executes other malware from a remote server. It also terminates security processes and services, as well as steals information about your computer.
Installation
TrojanDownloader:Win32/Spycos.R copies itself to the Temporary Files folder as a CPL file with a random 12-digit file name.
It creates the following registry entry so that this file automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<14 random numbers>"
With data: "%Temp%\<malware file name>"
It also drops the following clean files as part of its installation routine:
- %Temp%\_thundbs2.db
- %Temp%\FXSAPIDebuglog.DLL
Payload
Terminates antivirus processes and services
TrojanDownloader:Win32/Spycos.R terminates the following antivirus processes and services, if they exist in your computer:
Processes:
- avgam.exe
- avgchsvx.exe
- avgfws9.exe
- AVGIDSAgent.exe
- AVGIDSMonitor.exe
- avgnsx.exe
- avgrsx.exe
- avgsrvx.exe
- avgwdsvc.exe
Services:
- aswUpdSv
- avast! Mail Scanner
- avast! Web Scanner
- AVGWD
It also disables Least User Access (LUA).
Removes security-related Browser Helper Objects (BHO)
TrojanDownloader:Win32/Spycos.R removes the following Browser Helper Objects (BHO) if they are found in your computer; these objects refer to security toolbars for AVG:
- HKLM\Software\Micrososft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
- HKLM\Software\Micrososft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}
- HKLM\Software\Micrososft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Steals information about your computer
TrojanDownloader:Win32/Spycos.R steals the following information about your computer:
- Online banking plugins installed in your computer
- Antivirus products installed in your computer
- Windows version of your computer
- Computer name
- Volume serial number of your hard disk
- Current user name
It sends the information to the server "entreterimentoglass.com".
Downloads and installs additional malware
TrojanDownloader:Win32/Spycos.R can download other malware by connecting to remote servers, usually via HTTP. It is known to download files from the following sites:
- aviramento32.kit.net
- chicabana21.kit.net
It downloads files only when the default language in your computer is Portuguese.
Analysis by Alden Pornasdoro
Last update 17 October 2012
