Home / malware Infostealer.Initowa
First posted on 28 May 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Initowa.
Explanation :
Once executed, the Trojan drops the following files:
%ProgramFiles%\Nril\syetom.exe%Temp%\1.exe
It creates following clean file:
%Temp%\2.jpg
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"syetom" = "%ProgramFiles%\Nril\syetom.exe"
Next, the Trojan connects to the following URL in order to download a configuration file:
[http://]r.qzone.qq.com/cgi-bin/user/cgi_pers[REMOVED][RANDOM FILE NAME]
The configuration file contains the the following IP address:
61.202.37.132
Note: The IP address may be changed.
The Trojan then searches all drives on the compromised computer for folders with the name NPKI. If a folder with this name is found, the Trojan copies the content of the NPKI folder and sends it to the following remote location:
http://[IP ADDRESS]/upload.php
Next, the Trojan modifies the following file in order to redirect network traffic on the compromised computer:
%System%\drivers\hosts.ics
It adds the following domains to the above file:
bank.cu.co.krbanking.dgb.co.krbanking.nfcf.or.krbanking.nonghyup.combanking.shinhan.combonking.nonghuyp.combonking.shihan.combusanbank.co.krcitibank.comcu.co.krdaegubank.co.krdaum.netdgb.co.krebank.keb.co.krepostbank.go.krhanabank.comhanmail.netib.scfirstbank.comibk.co.kribs.jbbank.co.kribs.kfcc.co.kribz.nonghyup.comids.kfc.co.krjbbank.co.krkbstar.comkdb.co.krkeb.co.krkfcc.co.krkibs.knbank.co.krkiup.ibk.co.krkjbank.comknbank.co.krmybank.ibk.co.krmybonk.idk.co.krnate.comnaver.comnfcf.or.krnonghyup.comobank.kbstar.comopen.hanabank.comopen.ibk.co.kropen.keb.co.kropen.nonghyup.comopen.shinhan.compib.wooribank.comscfirstbank.comshinhan.comsuhyup-bank.comu.wooribank.comwooribank.comwww.bgd.co.krwww.busanbank.co.krwww.bushanbank.go.krwww.chu.go.krwww.citibank.comwww.citibonk.co.krwww.cu.co.krwww.daegubank.co.krwww.daum.netwww.dgb.co.krwww.epastbonk.co.krwww.epostbank.co.krwww.epostbank.go.krwww.hanabank.comwww.hanabonk.comwww.hanmail.netwww.ibk.co.krwww.jbbank.co.krwww.kbd.co.krwww.kbstar.comwww.kdb.co.krwww.kdstor.comwww.keb.co.krwww.ked.co.krwww.kejbonk.comwww.kfcc.co.krwww.kjbank.comwww.knbank.co.krwww.knbbonk.co.krwww.nate.comwww.naver.comwww.nfcf.or.krwww.nonghyup.comwww.shinhan.comwww.standardchartered.co.krwww.stndordchortereb.co.krwww.suhuyp.co.krwww.suhyup.co.krwww.suhyup-bank.comwww.wooribank.comwww.woribonk.comwww.zum.comzum.com
The Trojan redirects all traffic from the above domains to the IP address contained in the configuration file.Last update 28 May 2014
