Home / malwarePDF  

Virus:Win32/Infostlr.A


First posted on 29 September 2012.
Source: Microsoft

Aliases :

Virus:Win32/Infostlr.A is also known as Win32.HLLP.DialPass (Dr.Web), W32/Arcer-B (Sophos), W32.HLLP.Arcer (Symantec), PE_ARCER.C (Trend Micro).

Explanation :



Virus:Win32/Infostlr.A is a virus that infects Microsoft Windows portable executable (PE) files. When an infected PE file runs, the virus also executes the original host file.



Installation

When run, Virus:Win32/Infostlr.A drops a copy of the file it intends to infect in the %Temp% folder, then runs it, in an attempt to mislead the user that nothing malicious is taking place.

It may have either of the following file names:

  • <system folder>\lclass.exe
  • <system folder>\svchots.exe


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

It creates the following registry entries so that its copies automatically run every time PE file is opened:

In subkey: HKLM\SOFTWARE\Classes\exefile\shell\open\command
Sets value: "lclass.exe wnepnp"
With data: "%1" %*"

In subkey: HKLM\SOFTWARE\Classes\exefile\shell\open\command
Sets value: "svchots.exe wnepnp"
With data: "%1" %*"

Spreads via...

File infection

Virus:Win32/Infostlr.A infects files by prepending its virus code to executable files on all drives, as well as files referenced by shortcut (LNK) files. The infection consists of appending the original host to the virus code. It then uses the exact same icon used by the original file so as to appear unchanged. However, the file size increases by 211 kb due to the infection.

Files are infected as they are run by Windows Explorer.



Payload

Steals sensitive information

Virus:Win32/Infostlr.A collects the following sensitive information:

  • Dial up passwords
  • Computer name
  • Windows user names
  • Operating system currently running in your computer


The information is sent to the email address "sdp_krutoy_hacker@e-mails.ru".

Disables System Restore

Virus:Win32/Infostlr.A may disable System Restore on computers running Windows XP and newer.



Analysis by Mihai Calota

Last update 29 September 2012

 

TOP