Win32/Spy.Weecnaw [Threat Name] go to Threat

Win32/Spy.Weecnaw.A [Threat Variant Name]

Category trojan
Size 120682 B
Detection created Feb 09, 2015
Signature database version 11146
Aliases Backdoor:Win32/NetWiredRC.C (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­ImgBurn\­ImgBurn.exe

The trojan creates the following files:

  • %temp%\­%variable1%\­Nubian.dll (51712 B, Win32/Injector.BVQH)
  • %temp%\­%variable1%\­UserInfo.dll (4096 B)
  • %appdata%\­INSTMSIW.exe (83456 B)
  • %appdata%\­ImgBurn\­.Identifier

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ImgBurn" = "%appdata%\­ImgBurn\­ImgBurn.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­%variable2%]
    • "StubPath" = "%appdata%\­ImgBurn\­ImgBurn.exe"

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • operating system version
  • computer name
  • user name
  • memory status
  • the path to specific folders
  • list of active TCP and UDP connections

The following programs are affected:

  • Chromium
  • Google Chrome
  • Internet Explorer
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Opera
  • Pidgin
  • SeaMonkey

The following services are affected:

  • Windows Live

The trojan is able to log keystrokes.


The collected information is stored in the following folder:

  • %appdata%\­ImgBurn\­Logs\­
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP, TCP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • stop itself for a certain time period
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • send the list of running processes to a remote computer
  • send gathered information
  • send requested files
  • capture screenshots
  • copy files
  • move files
  • delete folders
  • delete files
  • create Registry entries
  • delete Registry entries
  • various Registry operations
  • execute shell commands
  • simulate user's input (clicks, taps)
  • show/hide application windows
  • manipulate application windows
  • set up a proxy server

Please enable Javascript to ensure correct displaying of this content and refresh this page.