Win32/Prikormka [Threat Name]
| Detection created | 2016-03-09 |
| World activity peak | 2016-08-19 (0.02 %) |
Short description
Win32/Prikormka is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
The trojan may create the following files:
- %windir%\ntshrui.dll
- %windir%\hauthuid.dll
- %windir%\hlpuctf.dll
- %windir%\atiml.dll
- %windir%\iomus.dll
- %windir%\swma.dll
- %windir%\helpldr.dll
- %windir%\rbcon.ini
- %userprofile%\AppData\Local\CMS\krman.ini
- %userprofile%\AppData\Local\VRT\_wputproc.dll
The trojan may create the following folders:
- %programfiles%\IntelRestore\
- %userprofile%\Resent\roaming\ocp8.1\
- %userprofile%\AppData\Local\MMC\
- %userprofile%\AppData\Local\PMG\
- %userprofile%\AppData\Local\SKC\
- %userprofile%\AppData\Local\CMS\
- %userprofile%\AppData\Local\VRT\
- %userprofile%\AppData\Local\ioctl\
Information stealing
The trojan collects the following information:
- operating system version
- computer name
- user name
- screenshots
- logged keystrokes
- webcam video/voice
- list of files/folders on a specific drive
- file(s) content
- geographical location of the device
- computer IP address
- MAC address
- amount of operating memory
- list of disk devices and their type
- display resolution
The trojan collects information related to the following applications:
- Google Chrome
- Opera Browser
- Yandex Browser
- Comodo Dragon Internet Browser
- Rambler Browser
- Mozilla Firefox
- Mozilla Thunderbird
The trojan attempts to send gathered information to a remote machine.
For further information follow the links below:
* Operation Groundbait: Espionage in Ukrainian war zones