TROJ_STEGBOV.A

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan adds the following mutexes to ensure that only one of its copies runs at any one time:

• bogestvennoe_providenie

Other System Modifications

This Trojan creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = {malware path and filename}:*:Enabled:ldrsoft

Other Details

This Trojan terminates itself if it detects it is being run in a virtual environment.

NOTES:

Download Routine

This malware attempts to connect to the following URL to download and execute another file:

• http://{BLOCKED}t.com/3/1.php?q={number}

If download is successful, it signals the remote server by sending the following:

• http://{BLOCKED}t.com/3/1.php?q={number}&ok={number}

Currently, the malware was able to download from:

• http://{BLOCKED}t.com/3/1.php?q=1

It is detected by Trend Micro as TROJ_FAKEAV.IB.

The downloaded file is then executed, thus the malicious routines of the said malware are also exhibited in the system.

Information Theft

It gathers information related to financial institutions from cache by checking the following strings:

• .efirstbank.com
• .enternetbank.com
• .nabconnect.nab.com.au
• .nashvillecitizensbank.com
• .rbs.com/wps/portal/cb/applications
• .royalbank.com
• .sandyspringbank.com
• .svbconnect.com
• /cashman/
• /cashplus/
• /CLKCCM/
• /cmserver/
• /Common/SignOn
• /onlineserv/CM/
• /wcmfd/wcmpw/
• abbeyinternational.com
• access.rbsm.com/logo
• alahliecorp.com
• alahlionline.com
• alinmaonline.com
• almubasher.com.sa
• anb.com.sa
• anzdirect.co.nz
• associatedbank.com
• baj.com.sa
• bankalbilad.com
• banking.calbanktrust.com
• banking.mashreqbank.com
• banking.postbank.de
• bmoharrisprivatebankingonline.com
• bnycash.bankofny.com
• boveda.banamex.com.mx
• business.hsbc.co.uk
• businessbanking.cibc.com
• businessmanager.com
• businessonline.huntington.com
• businessonline.tdbank.com
• businessportal.mibank.com
• cashanalyzer.com
• cashmanager.mizuhoe-treasurer.com
• chase.com
• cibconline.cibc.com
• citigroup.com
• commbiz.commbank.com.au
• commercial.wachovia.com
• compassbank.com
• comsec.com.au
• directpay.wellsfargo.com
• easywebcpo.td.com
• ebanking-services.com
• ebc_ebc1961
• fgb.ae
• fransicorp.com.sa
• fransiplus.com
• hsbc.com.eg
• ibanking-services.com
• ifxmanager.bnymellon.com
• internetbanking.suncorpbank.com.au
• neteller.com
• northerntrust.com
• online-business.lloydstsb.co.uk
• online.corp.westpac.com.au
• onlinebanking.banksterling.com
• passport.texascapitalbank.com
• premierview.membersunited.org
• saab.com
• samba.com
• schwab.com
• scotiaconnect.scotiabank.com
• scotiaonline.scotiabank.com
• securentrycorp.
• singlepoint.usbank.com
• ssl.selectpayment.com
• sso.unionbank.com
• treas-mgt.frostbank.com
• webbankingforbusiness.mandtbank.com
• webinfocus.mandtbank.com
• wellsoffice.wellsfargo.com

It also searches for a file in %Application Data%\Mozilla to gather information from cookies:

• cookies.sqlite