Home / malware Backdoor:Win32/Spycos.A
First posted on 31 May 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Spycos.A is also known as PSW.Banker6.WDQ (AVG), TR/ATRAPS.Gen (Avira), Generic PWS.y!1a3 (McAfee), Trojan.ADH (Symantec), PWS-Banker!hcm (McAfee).
Explanation :
Backdoor:Win32/Spycos.A is a trojan that allows unauthorized remote access of your computer. The trojan could steal your online banking credentials by tricking you into entering them while displaying a false login screen. The trojan may also lower your computer's security by disabling certain security software services.
Installation
If run, this trojan installs a copy of Backdoor:Win32/Spycos.A as a file named "modulo.dll". The trojan also modifies your system registry to execute Spycos when the web browser is launched, as in this example: In subkey: HKLM\SOFTWARE\Classes\CLSID\{4DF58D21-6368-4CCE-9B4D-E36EFEAC28FE} Sets value: "(default)" To data: "0"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{4DF58D21-6368-4CCE-9B4D-E36EFEAC28FE}\InprocServer32 Sets value: "(default)" To data: "c:\modulo.dll" When the trojan runs, it sets up different timers to perform different actions.
Payload
Lowers computer security Backdoor:Win32/Spycos.A disables the UAC elevation prompt so that the trojan (and other future malware) could execute without a Windows system alert. The trojan attempts to stop, and delete, certain security software services, for example AVG security. Downloads arbitrary files Backdoor:Win32/Spycos.A may contact a remote server to download an update of the trojan and it may download new configuration data that instructs Backdoor:Win32/Spycos.A on other actions to take. Steals login information Backdoor:Win32/Spycos.A may display a fake logon page so it can capture your logon credentials and distribute them to a remote attacker. We observed the trojan intercepting browser access of the following domains for this purpose:
- mail.live.com
- internetbanking.caixa.gov.br
The following is one example of a fake "caixa" web login page that is displayed by this trojan - it resembles the actual login page:
One variant of this trojan was observed to send captured login credentials to an email address "imirrum @ globomail.com".
Analysis by Jim WangLast update 31 May 2012
