TROJ_FINSPY.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It uses common file icons to trick a user into thinking that the files are legitimate.

It deletes itself after execution.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Temp%\TMP{8 random characters}\{Malware Filename}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following component file(s):

• {Malware Path and Filename}.jpg
• %User Temp%\delete.bat
• %User Temp%\driverw.sys

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It uses common file icons to trick a user into thinking that the files are legitimate.

Other Details

This Trojan deletes itself after execution.

NOTES:
The file DELETE.BAT is used to delete the malware after execution. The dropped non-malicious file {malware path and filename}.jpg is executed to trick user that the executed malware file was just a normal .JPG file. In reality, the malware was already executed.