Home / malware Trojan:Win32/Harvso.A
First posted on 22 May 2012.
Source: MicrosoftAliases :
Trojan:Win32/Harvso.A is also known as TR/Harvso.A (Avira), Trojan.PWS.Stealer.786 (Dr.Web), Win32/DataStealer.D trojan (ESET), Trojan.Win32.Harvso (Ikarus), TROJ_SPNR.11DT12 (Trend Micro).
Explanation :
Trojan:Win32/Harvso.A is a trojan that steals information. It looks for files used by the browsers Firefox and Opera that may contain user names and passwords. It also looks for document files and spreadsheets, which it packs into an archive file. It sends the browser files and the archive file to a remote server.
Installation
Trojan:Win32/Harvso.A adds the following registry entry as part of its installation process:
In subkey: HKCU\Software\hkhuiih
Sets value: "kghjgrdgf"
With data: "1"
Payload
Steals information
Trojan:Win32/Harvso.A looks for the files "signons.sqlite", "key3.db", and "wand.dat" in the following folders:
- %AppData%\Mozilla\Firefox\Profiles
- %AppData%\Thunderbird\Profiles
- %AppData%\Opera\Opera
These files are used by the browsers Firefox and Opera to store user names and passwords. If found, Trojan:Win32/Harvso.A steals the contents.
Trojan:Win32/Harvso.A also looks for documents files and spreadsheets that contain potentially sensitive information. It then bundles these, along with the browser files, into a randomly-named .ZIP file, and sends it to the server "everkosmo2012.ru" via port 8000.
Analysis by Tim Liu
Last update 22 May 2012