Win32/DataStealer [Threat Name] go to Threat

Win32/DataStealer.B [Threat Variant Name]

Category trojan,worm
Size 1731584 B
Aliases Trojan-Dropper.Win32.Agent.fzcd (Kaspersky)
  Spy-Agent.gg.trojan (McAfee)
  Trojan:Win32/Enosch.A (Microsoft)
Short description

Win32/DataStealer.B is a worm that steals sensitive information. The worm attempts to send gathered information to a remote machine.

Installation

When executed, the worm copies itself into the following location:

  • %homedrive%%homepath%\­gupd.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gtalkupdate" = "%homedrive%%homepath%\­gupd.exe"
Spreading on removable media

The worm may create copies of itself on removable drives.


The worm searches for files with the following file extensions:

  • *.*

It avoids files with the following extensions:

  • .exe

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the file found in the search.


The extension of the file is ".exe" .


The worm copies itself into the root folders of fixed and/or removable drives using the following names:

  • portfolio.exe
  • essay.exe
  • lecture notes.exe
Information stealing

The worm searches local drives for files with the following file extensions:

  • .doc
  • .docx

The worm attempts to send the found files to a remote machine.


The worm sends the information via e-mail. The worm contains a list of (1) addresses.

Other information

The worm checks for Internet connectivity by trying to connect to the following addresses:

  • http://www.google.com/index.html

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Chilkat Software, Inc.]
  • [HKEY_LOCAL_MACHINE\­Software\­Wow6432Node\­Chilkat Software, Inc.]
  • [HKEY_CLASSES_ROOT\­WMZebra]

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Chilkat Software, Inc.\­ChilkatMail]
    • "Key30" = %variable%
  • [HKEY_CURRENT_USER\­Software\­Chilkat Software, Inc.\­ChilkatMail]
    • "Key30" = %variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.