Win32/Spy.Sekur [Threat Name] go to Threat
Win32/Spy.Sekur.B [Threat Variant Name]
Category | trojan |
Size | 173056 B |
Aliases | PWS:Win32/Sekur (Microsoft) |
BackDoor.Anunak.8 (Dr.Web) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%/Mozilla/svchost.exe
The trojan registers itself as a system service using the following name:
- %variable%Sys
A string with variable content is used instead of %variable% .
By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.
The trojan creates the following file:
- %appdata%/Mozilla/%random%.bin
A string with variable content is used instead of %random% .
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
Win32/Spy.Sekur.B is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- log keystrokes
- capture screenshots
- update itself to a newer version
- shut down/restart the computer
- send gathered information
The trojan can modify the following files:
- termserv.dll
- msgina.dll
- csrsrv.dll
- winlogon.exe