TSPY_LOKI.XD

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded from remote sites by other malware.

It steals certain information from the system and/or the user.

It deletes itself after execution.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from remote site(s) by the following malware:

• W2KM_DLOADER.XD

Installation

This Trojan Spy drops the following copies of itself into the affected system:

• %Application Data%\{random folder name}\{random filename}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %Application Data%\{random folder name}\{random filename}.lck

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Hash of Machine GUID}

Information Theft

This Trojan Spy steals the following information:

• User name
• Computer Name

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32Bitftp
• 9bis.com KiTTY
• AbleFTP
• BitKinex
• Bitvise BvSshClient
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• Far Manager
• Fastream NETFile
• FileZilla
• FlashFXP
• Flashpeak BlazeFtp
• FreshWebmaster FreshFTP
• FTP Navigator
• FTP Now
• FTPBox
• FTPGetter
• FTPInfo
• FTPShell
• GHISLER Total Commander
• GoFTP
• INSoftware NovaFTP
• IpSwitch WS_FTP
• iterate_GmbH Cyberduck
• JasFtp
• LinasFTP
• Martin Prikryl WinSCP
• NCH Software ClassicFTP
• NCH Software Fling
• NetDrive
• NetSarang Xftp
• NexusFile
• Notepad++ NppFTP
• Odin Secure FTP Expert
• oZone3D MyFTP
• Sherrod FTP
• SimonTatham PuTTY
• SmartFTP
• Staff-FTP
• SuperPutty
• UltraFXP
• VanDyke SecureFX
• WinFtp Client

It attempts to steal stored email credentials from the following:

• FossaMail
• Foxmail
• Incredimail
• Outlook
• Postbox
• Thunderbird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• 360 Browser
• 8pecxstudios Cyberfox
• Apple Computer Safari
• Catalina Group Citrio
• Chromium
• Chromodo
• CocCoc
• Comodo Dragon
• Comodo IceDragon
• Coowon
• Epic Privacy Browser
• Flock Browser
• Google Chrome
• Google Chrome SxS
• Internet Explorer
• Iridium
• K-Meleon
• LunaScape6
• Maplestudio Chromeplus
• Moonchild Productions Pale Moon
• Mozilla Firefox
• Mozilla Seamonkey
• Mozilla Waterfox
• Mustang Browser
• NETGATE Technologies Blackhawk
• Nichrome
• Opera
• Opera Next
• Orbitum
• QtWeb Internet Browser
• QupZilla
• Rockmelt
• Spark
• Superbird
• Titan Browser
• Torch
• Vivaldi
• YandexBrowser

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}erowybank.pl/images/gini/five/fre.php

Other Details

This Trojan Spy deletes itself after execution.