Home / malware

PDF

MSIL.Stimilik

First posted on 10 October 2015.
Source: Symantec

Aliases :

There are no other names known for MSIL.Stimilik.

Explanation :

The Trojan may arrive through Steam instant messages (IM).

When the Trojan is executed, it creates the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\[FOLDER DETERMINED BY CONFIGURATION DATA]\[FILE DETERMINED BY CONFIGURATION DATA].exe%Temp%\difdicrj.txt%Temp%\visited.txt%Temp%\[RANDOM CHARACTERS].vbs
The Trojan may delete all files in the following folder: %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
Next, the Trojan creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft" = "[PATH TO MALWARE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon\"shell" = "[PATH TO MALWARE], explorer.exe"
The Trojan may delete all entries in the following registry subkeys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The Trojan may then connect to a command-and-control server to receive commands, which could include the following actions: Send messages to all of the user's contacts on Steam IMSend offers to trade Steam items with other usersLog keystrokesGather passwords in web browser cookies

Last update 10 October 2015

 

TOP