Home / malware Infostealer.Limitail.B
First posted on 18 November 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Limitail.B.
Explanation :
When the Trojan is executed, it creates the following file. The file name is specified by the malware author. For current samples, the file name may be "Antivirus.exe" or "Example.exe". %UserProfile%\Application Data\Microsoft\[THREAT FILE NAME].exe
Next, the Trojan creates the following file: %UserProfile%\Start Menu\Programs\Startup\[THREAT FILE NAME].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\Microsoft\[THREAT FILE NAME].exe"
Next, the Trojan modifies the following registry entries to disable certain software and operating system features: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\"DisableCMD" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" = "1"
The Trojan then gathers the following computer information: Computer nameTotal physical memoryTotal virtual memoryAvailable physical memoryAvailable virtual memoryOperating system platformOperating system versionOperating system cultureLocal timeList of applicationsInstalled firewallInstalled antivirus software
The Trojan then gathers sensitive information from the following applications, if present: Bitcoin walletsChromeCore FTPDynDNSFileZillaFirefoxIMVUInternet Download ManagerInternet ExplorerMailMinecraftMSNNIMBUZZNo-IPOperaPidginRuneScapeSafariSmartFTPSpotify
Next, the Trojan stores information extracted from FireFox and Mail to the following files: %Temp%\logff.txt%Temp%\logmail.txt
It may also clear cookies and login data on the following web browsers: ChromeFirefox
The Trojan may then carry out the following actions: Capture screenshotsLog keystrokesLog titles of open windowsGather the compromised computer's public IP addressSends information to a specific email address, FTP server, or web panelSend messages to the user's Skype friendsDownload filesVisit websitesDisplay error messagesLast update 18 November 2014