Home / malwarePDF  

Win32/Spycos


First posted on 08 March 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Spycos.

Explanation :



The Win32/Spycos trojans are written in Delphi programming language, and most target customers of Brazilian banks. Some versions of Spycos may only perform its malicious routine if the computer locale is set to Portuguese.



Installation

Win32/Spycos may arrive on your computer if you unintentionally download it after being tricked by social engineering techniques, such as those used in spam emails.

Example spam messages may look like the following:

Subject: Sem Assunto
Segue todos os arquivos solicitados



Subject: Fofocassssss... xiiii olhe sem falta urgente!!!



Subject: Atividade No Seu Messenger



Subject: Enc: Striptease da namorada...



Variants of Win32/Spycos make changes to the registry, such as the following, so that the trojan runs each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "RunAs"
With data: "<module name>"

When the trojan runs, it may launch another component (detected as TrojanDownloader:Win32/Spycos) that may collect information about your computer, and connect to a remote server to download additional Win32/Spycos components.

Spycos also contains functionality that allows it to update itself, and its components.

Technical analysis

Steals information

We have observed variants of Spycos collecting and sending the following information about your computer to a remote server via email, or by uploading it to the attacker's FTP site:

  • The version of Windows installed on your computer from Windows 3.11 to Windows 7
  • The presence of an antivirus solution on your computer, for example, it looks for products by Avast, AVG, Kaspersky, and Symantec
  • The presence of security plug-ins installed on your computer, such as the G-Buster Browser Defense (GBPlugin) plug-in, and Scopus Browser Plug in (Scpad) plug-in
  • Your computer's MAC (media access control) address, which as a unique code that identifies your computer on your network
  • Your computer's name
  • The user name of the currently logged-in user


Contacts remote host

The downloader component, TrojanDownloader:Win32/Spycos, may attempt to connect to a remote host to download additional components and to alert the remote attacker of a newly infected computer. These components are typically bundled together inside a file known as a CAB archive, and usually include the following:

  • Trojan:Win32/Spycos - the component in charge of monitoring browsed addresses
  • Backdoor:Win32/Spycos - the main component, a Browser Helper Object (BHO), which is in charge of stealing data, sending it back to the attacker and following the actions outlined in the configuration file (detected as Trojan:Win/Spycos!cfg)
  • Trojan:Win/Spycos!cfg - the configuration file used by the Backdoor:Win32/Spycos component


On connection to the remote host, TrojanDownloader:Win32/Spycos may also delete older Spycos components and install new ones, then delete itself by dropping and running a batch file with a random file name, that later deletes itself.

Monitors browser activity

Spycos monitors the websites visited in Chrome and Firefox. If you're observed visiting the following online banking sites with either of those browsers, the trojan will close that browser and open an Internet Explorer browser window, loaded with the BHO:

  • bancobrasil.com.br
  • https://aapj.bb.com.br/aapj/loginpfe.bb
  • https://internetbanking.caixa.gov.br/SIIBC/index.processa
  • https://login.live.com/login
  • santanderempresarial.com.br
  • santander.com.br


The new browser window that Spycos opens will still go to the online banking site you iriginally visited in Chrome or Firefox, however the BHO allows it to spy on your online banking activities.

Some Spycos variants have been observed monitoring online banking activity from the following banks, trying to capture online banking credentials and account information; if found, this information is sent to a remote attacker:

  • Banco do Brasil
  • Bradesco
  • Caixa
  • Citibank
  • Santander


Some variants also monitor browser activity when you visit any of the following websites, trying to capture usernames and passwords that you enter; if found, this information is also sent to a remote attacker:

  • Facebook
  • Microsoft Outlook Account
  • Twitter


We have observed variants of Win32/Spycos attempting to send the stolen information to the following SMTP servers (this list is not exhaustive):

  • agdafestas<dot>com<dot>br
  • arq-2019<dot>com
  • contasys<dot>kinghost<dot>net
  • ferragenscolar<dot>kinghost<dot>net
  • fgveriywell<dot>com
  • flazhvitor2011<dot>net
  • fojuaraujo-ecomerce<dot>kinghost<dot>net
  • harddrivinradio<dot>com<dot>br
  • inteligweb<dot>com<dot>br
  • isbt<dot>com<dot>br
  • itelefonica<dot>com<dot>br
  • kinghost<dot>net
  • lakecalifornia<dot>com<dot>br
  • lfhost<dot>com<dot>br
  • mail<dot>yahoo<dot>com<dot>br
  • mina-sul<dot>net
  • newimperadorx01<dot>com
  • newimperadorx02<dot>com
  • pedidos-go<dot>com<dot>br
  • pilarsiberiefrios<dot>com
  • sac-atendimentoclientesac-atendimentoclientes<dot>com
  • serrariadiscover<dot>net
  • serrariasema<dot>net
  • servicecargas<dot>com
  • terra<dot>com<dot>br
  • then2010<dot>comvbr
  • tricapet<dot>com
  • viamart2011<dot>net
  • x6-eventos<dot>kinghost<dot>net


Alternatively, it may attempt to send the stolen information via FTP, such as the following (this list is not exhaustive):

  • andyirons.com<dot>br
  • contasys<dot>kinghost<dot>net
  • fgveriywell<dot>com
  • solcostrutora<dot>com


Modifies security settings

Spycos disables the LUA (Least Privileged User Account), also known as the €œadministrator in Admin Approval Mode€ user type, by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without prompting you for explicit consent.

The backdoor component of Win32/Spycos (Backdoor:Win32/Spycos), stops the following security-related processes and services to try and to make your computer less secure against malware:

Processes:

  • avgam.exe
  • avgchsvx.exe
  • avgfws9.exe
  • AVGIDSAgent.exe
  • AVGIDSMonitor.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgsrvx.exe
  • avgwdsvc.exe


Services:

  • aswUpdSv
  • avast! Mail Scanner
  • avast! Web Scanner
  • AVGWD


Spycos also removes the following security-related BHOs (Browser Helper Object), if they are found on your computer:

  • AVG Safe Search add-on for Internet Explorer - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
  • AVG Security Toolbar BHO - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}
  • AVG Security Toolbar - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}


Sends spam emails

Spycos has been observed sending spam emails employing social engineering techniques, in an effort to infect others.

Examples of the email we've observed the trojan sending can be seen in the Installation section above.



Analysis by Marian Radu

Last update 08 March 2013

 

TOP

Malware :