Home / malware

PDF

TrojanSpy:Win32/Usteal

First posted on 23 May 2013.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Usteal is also known as Trojan/Win32.Ruftar (AhnLab), Trojan horse PSW.Generic10.BNFS (AVG), Trojan horse PSW.Generic10.BWOI (AVG), Trojan horse PSW.Generic10.CIUL (AVG), W32/Usteal.A.gen!Eldorado (Command), W32/Troj_Generic.HCCAE (Norman), W32/Troj_Generic.JLPCB (Norman), TR/Spy.Usteal.D.988 (Avira), TR/Spy.Usteal.D.1219 (Avira), Gen:Variant.Zusy.1108 (BitDefender), Trojan.Generic.8712735 (BitDefender), Gen:Variant.Kazy.44973 (BitDefender), Trojan.Generic.KDZ.11916 (BitDefender), Gen:Variant.Symmi.11246 (BitDefender), Trojan.PWS.UFR.3136 (Dr.Web), Trojan.PWS.UFR.3111 (Dr.Web), Trojan.PWS.UFR.3047 (Dr.Web), BackDoor.Comet.152 (Dr.Web), Win32/Injector.AEJK trojan (ESET), Trojan.SuspectCRC (Ikarus), Win32.AdWare.AII (Ikarus), RDN/Generic PWS.y!bn (McAfee), RDN/Generic PWS.y!fg (McAfee), RDN/Generic PWS.y!di (McAfee), BackDoor-FAPT!02357D9CE63E (McAfee), W32/Skintrim.DVYD (Norman), Trojan.PSW.Ldpinch!238F (Rising AV), Mal/Behav-116 (Sophos), Mal/HckPk-D (Sophos), Mal/RufTar-C (Sophos) more.

Explanation :

Installation

TrojanSpy:Win32/Usteal has been found bundled with other applications, including:

• online gaming-related applications, for example World of Tanks, Dota2, and Steam applications
• images
• other malware, for example Trojan:Win32/LockScreen

The trojan launches the bundled application after it has run.

It creates an encrypted log file containing the stolen data that it sends to an attacker:

• %TEMP% \report_<date and time>-<random alphanumeric characters>.bin

It sends your stolen usernames and password to an attacker before it terminates and deletes itself and the log file. It leaves the bundled application, image or other malware running.



Payload

Stops applications

TrojanSpy:Win32/Usteal stops the following processes in order to steal your credentials:

• ICQ Messenger (icq.exe)
• Mail.ru mail agent (magent.exe)

The trojan checks for the presence of:

• monitoring applications
• virtual machines
• debuggers
• antimalware products

TrojanSpy:Win32/Usteal will terminate itself to avoid detection if it finds any of the following antimalware processes:

• Anubis
• AV products, for example avp.exe
• FileMon
• OllyDbg
• Process Explorer
• ProcMon
• RegMon
• Sandboxie
• VirtualBox
• VMWare
• WireShark

The list of antimalware products that the trojan will look for can be customized by the attacker.

Steals usernames and passwords

TrojanSpy:Win32/Usteal collects stored usernames and passwords from the following web browsers:

• Chrome
• Firefox
• Internet Explorer
• Opera
• Safari

The trojan collects FTP credentials (IP, port, usernames, and passwords) from the following FTP software:

• CoreFTP
• FAR/FAR2
• FileZilla
• FlashFXP
• FTP Commander
• SmartFTP
• Total Commander
• winscp
• ws_ftp

It collects stored usernames and passwords from the following instant messaging programs and instant messaging managers:

• Google Talk
• ICQ
• Live Messenger
• Mail.Ru Agent
• Miranda
• MSN Messenger
• Pidgin
• Psi
• QIP 2005
• QIP Infium

TrojanSpy:Win32/Usteal collects stored usernames and passwords from the following email applications:

• IncrediMail
• SeaMonkey
• The Bat!
• Thunderbird

The trojan collects stored usernames and passwords from online games and remote desktop applications, including:

• Full Tilt Poker
• PokerStars
• RDP
• Windows RAS
• World of Tanks
• Steals system information

TrojanSpy:Win32/Usteal collects information about your computer system including:

• Country
• Installed programs
• Machine Name
• OS
• System Language
• Users

Sends stolen information to an attacker

TrojanSpy:Win32/Usteal can send the information it steals to an attacker via:

• FTP Servers
• SMTP (email)
• Remote servers (PHP gate)

Downloads other malware

An attacker can configure TrojanSpy:Win32/Usteal to download and run other malware.

Last update 23 May 2013

 

TOP