Home / malware Infostealer.Teskilog
First posted on 03 April 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Teskilog.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%\shel32.exe%Temp%\JavaUpdtr.exe%UserProfile%\Application Data\Java\JavaUpdtr.exe%UserProfile%\Application Data\ScreenShot\screen.jpeg%UserProfile%\Application Data\CamCampture\webcam.jpeg%UserProfile%\Templates\log.tesla
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"Load" = "%Temp%\JavaUpdtr.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\"DisableCMD" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explore\"NoRun" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
The Trojan modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" = "0"
Next, the Trojan deletes the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE
The Trojan may end processes with the following strings in their names:
anubisa2servicashWebSvhvkavgemcbdagentavpkeyscramblermbameguinpfmsgollydbgoutpostwiresharkmcagentmcuimgrclamautocpfewidoFPAVServerSbieSvcantigenccapptmlistenpccntmonearthagentspysweeper
The Trojan then steals user credentials for the following applications, if installed:
FileZillaPidginFlashFXPSmartFTPCore FTPFTP CommanderNo-IPPaltalkDynDNSYahooInternet Download ManagerJDownloader
The Trojan also steals user credentials saved in the following web browsers:
ChromeInternet ExplorerFirefoxOpera
The Trojan may also perform the following actions:
Take screenshots Use the webcam to take picturesLog keystrokesDownload and execute filesGather system information such as user name, computer name, external IP address
The Trojan then sends the stolen information to a predetermined email address. The email address is variable and is specified by the attacker.Last update 03 April 2015