TSPY_USTEAL.USRJ
Mal/RufTar-C (Sophos) ,Trojan horse PSW.Generic10.BNGG (AVG) ,W32/ZBOT.CDL!tr (Fortinet) ,W32/Usteal.C.gen!Eldorado (generic, not disinfectable) (Fprot) ,Trojan-Spy.Win32.Usteal (Ikarus) ,HEUR:Trojan.Win32.Generic (Kaspersky) ,Trojan:Win32/Ransom.FO (Microsoft) ,PWS-FAPK!83050FBF1095 (McAfee) ,probably a variant of Win32/Spy.Usteal.C trojan (Eset) ,Trojan-Spy.Win32.Usteal.da (v) (Sunbelt)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This USTEAL variant drops a ransomware detected as TROJ_RANSOM.SMAR, which is created by a new toolkit builder.
To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware adds the following folders:
- {Malware Path}\ufr_reports
It drops and executes the following files:
- %User Temp%\222.exe - detected as TROJ_RANSOM.SMAR
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- UFR3
Information Theft
This spyware gathers the following data:
- System Information
Stolen Information
This spyware saves the stolen information in the following file:
- {Malware Path}\ufr_reports\report_{dd-mm-yyyy}_{System IDs}-{random}.bin
Drop Points
Stolen information is uploaded to the following websites:
- {BLOCKED}.{BLOCKED}i.esy.es
Other Details
This spyware connects to the following URL(s) to get the affected system's IP address:
- http://whatismyip.akamai.com
- http://whatismyip.everdot.org/ip
- http://whatismyip.org
NOTES:
It attempts to steal stored account information of the following installed FTP clients or File Managers:
- WS_FTP
- SmartFTP
- CoreFTP
- FileZilla
- FlashFXP
- Far
- Total Commander
- WinSCP
It also attempts to steal stored email credentials:
- The Bat!
- IncrediMail
- SeaMonkey
- Thunderbird
This spyware attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:
- Internet Explorer
- Opera
- Chromium-based
- FireFox
- Safari
This spyware attempts to retrieve stored information such as user names and passwords from the following instant messenger:
- Mail.Ru Agent
- ICQ
- Miranda
- Psi
- Google Talk
- QIP 2005
- Live Messenger
- Pidgin
- QIP Infium
- MSN Messenger
This spyware attempts to retrieve stored information such as user names and passwords from the following games:
- World Of Tanks
- Full Tilt Poker
- Poker Stars
This spyware attempts to retrieve stored information such as user names and passwords from the following Windows applications:
- RDP
- Windows RAS
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by TSPY_USTEAL.USRJ. (Note: Please skip this step if the threat(s) listed below have already been removed.)
Step 3
Search and delete this folder
- {Malware Path}\ufr_reports
Step 4
Scan your computer with your Trend Micro product to delete files detected as TSPY_USTEAL.USRJ If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.