Home / malware Backdoor:Win32/Spycos.B
First posted on 24 May 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Spycos.B is also known as Backdoor:Win32/Damec.B (other), PSW.Banker6.LAL (AVG), TR/Spy.Banker.aai.23 (Avira), Trojan-Downloader.Win32.Banload.bqfp (Kaspersky), PWS-Banker!h2f (McAfee), Trojan.Gen.2 (Symantec), TSPY_BANKER.QLP (Trend Micro).
Explanation :
Backdoor:Win32/Spycos.B is a trojan that allows unauthorized remote access of your computer. The trojan could steal your login credentials for online banking and web-based email services. The trojan may also lower your computer's security by disabling certain security software services.
Installation
This trojan may be installed by other malware and is present as a variably named DLL file, such as "3DVision_280.dll", "AudioSes.dll" and so on. The system registry is modified to execute Spycos when the web browser is launched, as in this example: In subkey: HKLM\SOFTWARE\Classes\CLSID\{FBEE269C-3039-4E9C-BB33-651B1FB50EF9} Sets value: "(default)" To data: "0"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{FBEE269C-3039-4E9C-BB33-651B1FB50EF9}\InprocServer32 Sets value: "(default)" To data: "<Backdoor:Win32/Spycos.B file name>" When the trojan runs, it sets up different timers to perform different actions.
Payload
Lowers computer security Backdoor:Win32/Spycos.B disables the User Access Control (UAC) elevation prompt so that the trojan (and other malware) could execute without a Windows system alert. In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Sets value: "EnableLUA" To data: "0" The trojan attempts to stop, and delete, certain security software services. These are example instructions run by the trojan to stop services: SC stop AVGIDSAgent
SC stop avg9wd
SC stop AVGWD
SC DELETE AVGIDSAgent
SC DELETE avg9wd Downloads arbitrary files Backdoor:Win32/Spycos.B may contact a remote server to download an update of the trojan. The trojan may also download new configuration data that instructs Backdoor:Win32/Spycos.B on other actions to take. Steal login information Backdoor:Win32/Spycos.B monitors (or "sniffs") network packets in order to steal login credentials. We observed the trojan intercepting browser access of the following domains for this purpose:
- aapj.bb.com.br
- internetbanking.caixa.gov.br
- santandernet.com.br
- bancobrasil.com.br
One variant of this trojan was observed to send captured login credentials to an email address "imirrum @ globomail.com".
Analysis by Jim WangLast update 24 May 2012
