A dangerous Trojan passes itself off as MSN Messenger to steal confidential user data
PandaLabs has detected the appearance of Spymaster.A, a Trojan designed to steal all types of information from computers. It combines spyware and keylogger traits, enabling it to capture everything from users’ Internet movements to the user names and passwords entered in services such as online banking. Moreover, thanks to a curious stealth system, it can pass itself off as the MSN Messenger application so users are unaware of its presence on a system.
As with most Trojans, Spymaster.A is not able to spread by itself, and therefore needs the intervention of a malicious user. It can therefore reach computers as an attachment to email messages, or could be downloaded from web pages, P2P applications, instant messaging systems or infected CDs or diskettes.
After it reaches a computer, should a user run the file that contains Spymaster.A, a copy of this Trojan is made in the shape of a file called syscont.exe. The process associated to this file has the name Win servi?§o. However, it uses a stealth system by which if the user views active processes in the task manager, they will only see that supposedly corresponding to MSN Messenger. This process actually hides the actions of Spymaster.A. Similarly, it creates several Windows registry entries in order to ensure it is run every time the computer starts up.
The Trojan also creates a text file called syslogy.cc. This file stores data on the programs used on the computer, web pages visited and all information entered through the keyboard. This is the file that will be sent, via FTP, to an address from which the attacker can collect it.
According to Luis Corrons, director of PandaLabs: “Keylogger Trojans are usually used by cyber-crooks to steal confidential information for fraudulent purposes. Given that, nowadays, financial gain is the main motivation for the creators of malicious code, it is almost certain that more examples will appear, and that they will be increasingly sophisticated and difficult to detect. The way that Spymaster.A hides the process in memory is a good example of this “.
To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.
Panda Software clients that don’t yet have TruPreventTM Technologies have the updates available to install them along with their antivirus and ensure they have prevented protection against unknown viruses and intruders. For users with a different antivirus program installed, Panda TruPreventâ„? Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is updated, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent
Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software’s website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.
For further information about Spymaster.A, visit Panda Software’s Encyclopedia.
About PandaLabs
Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients save. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPreventâ„? Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at www.pandasoftware.com/pandalabs.asp).
For more information: http://www.pandasoftware.com/virus_info