Home / malwarePDF  

Infostealer.Reedum.D


First posted on 08 September 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Reedum.D.

Explanation :

Once executed, the Trojan creates the following files:
%System%\McTrayErrorLogging.dll%System%\t.bat
It then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\Control\*NewlyCreated*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\Control\ActiveServiceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\ServiceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\LegacyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\ConfigFlagsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\ClassHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\ClassGUIDHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\0000\DeviceDescHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCFMISVC\NextInstanceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\Enum\0HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\Enum\CountHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\Enum\NextInstanceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\Security\SecurityHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\TypeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\StartHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\ErrorControlHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\ImagePathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\DisplayNameHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\ObjectNameHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\FailureActionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfmisvc\Description
The Trojan can receive the following commands:
Install (Installs the malware as a service)Uninstall (Delete the service)Start (Only works if the service was successfully installed)Stop
Once the Trojan starts, it scans running processes for payment card data.

The following processes are excluded from being scanned by the Trojan:
smss.execsrss.exewininit.exeservices.exelsass.exesvchost.exewinlogon.exesched.exespoolsv.exeSystemconhost.exectfmon.exewmiprvse.exemdm.exetaskmgr.exeexplorer.exeRegSrvc.exefirefox.exechrome.exe
The Trojan saves the stolen data to the following location:
%System%\McTrayErrorLogging.dll
The Trojan then runs a script contained in the following file:
%System%\t.bat
The script sends the stolen information to a computer on the local network.

Last update 08 September 2014

 

TOP