Home / malware TrojanDownloader:Win32/Spycos.A
First posted on 19 May 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Spycos.A is also known as Trojan-Downloader.Win32.Banload.btrj (Kaspersky), PWS-Banker!hcm (McAfee), Mal/Bancos-BM (Sophos), Trojan.ADH.2 (Symantec), TrojanDownloader:Win32/Damec.A (other).
Explanation :
TrojanDownloader:Win32/Spycos.A is a trojan that attempts to download other malware, if the Windows operating system locale is set to Portuguese. The trojan attempts to lower Windows security and terminate security software.
Installation
When run, this trojan drops a copy of the malware as the following:
- %TEMP%\220320120334.cpl
It modifies a Windows configuration file named "win.ini" to run the malware when Windows starts, as in the following example:
[File]
Run=C:\Temp\220320120334.cpl
Note: The "win.ini" configuration file is ignored and not used in Windows Vista and higher versions of the Microsoft Windows operating system.
Payload
Lowers Windows security
The malware attempts to disable Windows User Account Controls (UAC) notifications by modifying registry data.
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Terminates security software
This trojan attempts to terminate certain security software. In one sample, the malware targeted AVG and Avast antivirus products. After terminating certain processes or services, the trojan attempts to delete related files to compromise and invalidate the installed security application.
Downloads arbitrary files
If the Windows operating system default language is set to "Portuguese", TrojanDownloader:Win32/Spycos.A attempts to connect with certain remote servers, using HTTP protocol, to download arbitrary files. In one sample, the malware attempted to download a cabinet archive file (.CAB) and store it in the Temporary files folder. The CAB file was extracted and used to replace certain already-installed Java components.
Analysis by Jim Wang
Last update 19 May 2012
