Home / malware Trojan:Win32/Vcaredrix.A
First posted on 07 September 2012.
Source: MicrosoftAliases :
Trojan:Win32/Vcaredrix.A is also known as Win32/Vcaredrix.A trojan (ESET), TROJ_SPNR.29HF12 (Trend Micro).
Explanation :
Trojan:Win32/Vcaredrix.A is a trojan that connects to remote servers without consent from you. It may display pop-up ads.
Installation
Trojan:Win32/Vcaredrix.A may have the following file name:
%AppData%\xsecva\xsecva.exe
It creates the following registry key so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "XSECVA"
With data: "%AppData%\xsecva\xsecva.exe -s"
Payload
Displays pop-up ads
Trojan:Win32/Vcaredrix.A sends requests to the server in "xsecva.net" to find out your computer's IP address and country. It also receives keywords and URLs. This trojan then monitors what websites you're visiting and what keywords you're searching for. It then checks this against the list of keywords it has received. If any of them match, it displays ads in your browser within the context of your Internet activity.
It displays ads from the following servers:
- cpv.popxml.com
- cpvfeed.mediatraffic.com
- query.directrdr.com
Aside from monitoring what websites you visit, it also specifically checks for these websites:
- amazon.com/gp/cart
- cart.godaddy.com
- godaddy.com/basket
- livejasmin.com/buycredit
- uploaded.to/register
Analysis by Stefan Sellmer
Last update 07 September 2012
