Home / malware Trojan:Win32/Misector.A
First posted on 22 November 2011.
Source: SecurityHomeAliases :
Trojan:Win32/Misector.A is also known as W32/Patched.S.gen!Eldorado (Command).
Explanation :
Trojan:Win32/Misector.A is a data stealing trojan that attempts to capture and save strings in memory as a ZIP archive file. The trojan sends the archive file to a remote server for collection by an attacker. Stolen data could include financial transaction details such as credit card numbers.
Top
Trojan:Win32/Misector.A is a data stealing trojan that attempts to capture and save strings in memory as a ZIP archive file. The trojan sends the archive file to a remote server for collection by an attacker. Stolen data could include financial transaction details such as credit card numbers.
Installation
Trojan:Win32/Misector.A is installed by another process, or by an attacker with either physical or remote access to the affected computer. When installed, the trojan may be present as the following file:
- %ProgramFiles%\Retail\POS\msvbvm60.dll - Trojan:Win32/Misector.A
In observed installations of the trojan in the wild, a Visual Basic 6 (VB6) runtime library file was renamed from "msvbvm60.dll" to "msvbvm71.dll". Trojan:Win32/Misector.A executes when the point-of-sale application, located in the same folder as the malware, is launched. The trojan executes its payload code and then passed control to the VB6 runtime component "msvbvm71.dll".
Payload
Steals data
Trojan:Win32/Misector.A enumerates processes to locate a process named "frontend.exe". Once located, the malware opens and hooks the process and attempts to read all readable memory in the process. The trojan searches for strings matching the following characteristics:
- <16 digits>=
- B<16 digits>
- b<16 digits>
The format of the data suggests the malware is monitoring for 16 digit credit card numbers. Data is saved in a ZIP archive file having the following format:
- <retailer name><char><char><month>.<day>.zip (example: tigerfoodlv11.16.zip)
The file is sent to a specified email address for collection by an attacker, using a website "api.sendspace.com". In the wild, the trojan was observed to use the email address "valeristar" @e1.ru.
Additional information
An account is required to use the website "api.sendspace.com", which also includes use of an API key that is connected to a registered user.
Analysis by Wei Li
Last update 22 November 2011