TrojanSpy.Win32.NEGASTEAL.THJAEAI

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy creates the following folders:

• %Application Data%\credits
• %Application Data%\period\plan\frequency
• %Application Data%\u2\mailto\connectt
• %Application Data%\period
• %Application Data%\USER\doinstall
• %Application Data%\period\plan
• %Application Data%\period\plan\frequency\clean
• %User Profile%\AppData
• %Application Data%\u2\mailto
• %Application Data%\USER\doinstall\strFormId
• %System Root%\Users
• %User Temp%\namespace
• %Application Data%\USER\doinstall\strFormId\logo
• %Application Data%\USER
• %Application Data%\u2

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Dropping Routine

This Trojan Spy drops the following files:

• %Application Data%\u2\mailto\connectt\DbgUrtMui.dll
• %Application Data%\credits\Database-Download.png
• %Application Data%\credits\ntfswipe
• %Application Data%\USER\doinstall\strFormId\logo\resgen.exe
• %Start Menu%\Programs\Quadra\QSnoop.lnk
• %User Temp%\namespace\pnm2ppa-ppa-networking
• %Application Data%\period\plan\frequency\clean\bluetoothd.8
• %Application Data%\USER\doinstall\strFormId\logo\formdesign.xml
• %Application Data%\USER\doinstall\strFormId\logo\x-google-video-pointer.xml
• %Application Data%\period\plan\frequency\clean\Jblmp.exe
• %Application Data%\USER\doinstall\strFormId\logo\stlmaps.rgs
• %Application Data%\USER\doinstall\strFormId\logo\accctrl3.gif
• %User Temp%\namespace\dsp3
• %Application Data%\period\plan\frequency\clean\msddslmp.dll
• %User Temp%\namespace\CMAccept.exe
• %User Temp%\namespace\org.gnome.yelp.gschema.xml
• %Application Data%\period\plan\frequency\clean\btstuttutorialoverviewmodule1.gif
• %Application Data%\USER\doinstall\strFormId\logo\msdnmui.dll
• %Application Data%\USER\doinstall\strFormId\logo\tc-cbq-details.8

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

This report is generated via an automated analysis system.