Arr0w
Professional
- Messages
- 137
- Reaction score
- 28
- Points
- 28
Trojan.Multi / Spsniff.AE @ Other (Threat Level: 3 - Medium) PART I
Trojan designed to capture information such as personal identification numbers (PINs) of devices like ATMs.
- Full name of the virus: Trojan.Multi / Spsniff.AE @ Other
- Code type: Trojan [Trojan Horse: A program that seems beneficial or useful but turns out to be malicious at some point. It does not spread by itself.]
- Platforms affected: Multi: Affects W32 platforms [Microsoft Windows 32-bit, and may affect Microsoft Windows Vista / XP / Server 2008/Server 2003/2000/NT/Me/98/95] / W64 [Microsoft Windows 64 bits, and may affect Microsoft Windows Vista / XP / Server 2008/Server 2003]
- Capacity of permanent residence: Yes Runs automatically on each reboot
- Alias:
TSPY_SPSNIFF.AE (Trend Micro)
propagation
- Ability to self-propagation: No
Lacks own spreading routine. You can reach the system in the following ways:
- Another mechanism of propagation
* Downloaded by other malware or downloaded without the user's knowledge to visit an infected Web page.
* Download it to a file-sharing program (P2P).
Infection / Effects
When Spsniff.AE runs, it performs the following actions:
- Files and folders
Create the following file
• "systen.dll"
- Further Details
The Trojan requires the following files. DLLs found in ActiveX components "Serial Port Sniffer" and "Serial Port Monitor" Eltima Software, to run:
• spsax.dll
• spsniffer.dll
Captures keystrokes and sends this information to the following e-mail:
Code:
{HIDDEN} shydra@gmail.com
{HIDDEN} dosteste@yahoo.com.br
Use the following SMTP servers to send information:
Code:
{HIDDEN} il.cg.shawcable.net
{HIDDEN} ail.yahoo.com
It also stores system information such as the host name and the user's file systen.dll
Trojan for the Windows platform that modifies the system in order to carry out malicious actions.
- Full name of the virus: Trojan.W32/Mdrop.DYF @ Other
- Code type: Trojan [Trojan Horse: A program that seems beneficial or useful but turns out to be malicious at some point. It does not spread by itself.]
- Platforms affected: W32 [Microsoft Windows 32-bit, and may affect Microsoft Windows Vista / XP / Server 2008/Server 2003/2000/NT/Me/98/95]
- Capacity of permanent residence: Yes Runs automatically on each reboot
- Size (bytes): 58368
- Alias:
Troj / Mdrop-DYF (Sophos)
propagation
- Ability to self-propagation: No
Lacks own spreading routine. You can reach the system in the following ways:
- Another mechanism of propagation
* Downloaded by other malware or downloaded without the user's knowledge to visit an infected Web page.
* Download it to a file-sharing program (P2P).
Infection / Effects
When Mdrop.DYF runs, it performs the following actions:
- Files and folders
Save the following copy of itself
• "% Temp% \ dubmnaxxxzeur.com"
- Keys and registry entries
Create the following registry entry
Key: HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ pol icies \ Explorer \ Run
Value: 30367 = C: \ DOCUME ~ 1 \ alluse ~ 1 \ LOCALS ~ 1 \ Temp \ dubmnaxxxzeur.c om
- Further Details
Create the following process:
• c: \ windows \ system32 \ wuauclt.exe
Try to connect to the following IP addresses:
8.8.4.4:53
Perform the following DNS requests:
downtraff.ru
PART I
Trojan designed to capture information such as personal identification numbers (PINs) of devices like ATMs.
- Full name of the virus: Trojan.Multi / Spsniff.AE @ Other
- Code type: Trojan [Trojan Horse: A program that seems beneficial or useful but turns out to be malicious at some point. It does not spread by itself.]
- Platforms affected: Multi: Affects W32 platforms [Microsoft Windows 32-bit, and may affect Microsoft Windows Vista / XP / Server 2008/Server 2003/2000/NT/Me/98/95] / W64 [Microsoft Windows 64 bits, and may affect Microsoft Windows Vista / XP / Server 2008/Server 2003]
- Capacity of permanent residence: Yes Runs automatically on each reboot
- Alias:
TSPY_SPSNIFF.AE (Trend Micro)
propagation
- Ability to self-propagation: No
Lacks own spreading routine. You can reach the system in the following ways:
- Another mechanism of propagation
* Downloaded by other malware or downloaded without the user's knowledge to visit an infected Web page.
* Download it to a file-sharing program (P2P).
Infection / Effects
When Spsniff.AE runs, it performs the following actions:
- Files and folders
Create the following file
• "systen.dll"
- Further Details
The Trojan requires the following files. DLLs found in ActiveX components "Serial Port Sniffer" and "Serial Port Monitor" Eltima Software, to run:
• spsax.dll
• spsniffer.dll
Captures keystrokes and sends this information to the following e-mail:
Code:
{HIDDEN} shydra@gmail.com
{HIDDEN} dosteste@yahoo.com.br
Use the following SMTP servers to send information:
Code:
{HIDDEN} il.cg.shawcable.net
{HIDDEN} ail.yahoo.com
It also stores system information such as the host name and the user's file systen.dll
Trojan for the Windows platform that modifies the system in order to carry out malicious actions.
- Full name of the virus: Trojan.W32/Mdrop.DYF @ Other
- Code type: Trojan [Trojan Horse: A program that seems beneficial or useful but turns out to be malicious at some point. It does not spread by itself.]
- Platforms affected: W32 [Microsoft Windows 32-bit, and may affect Microsoft Windows Vista / XP / Server 2008/Server 2003/2000/NT/Me/98/95]
- Capacity of permanent residence: Yes Runs automatically on each reboot
- Size (bytes): 58368
- Alias:
Troj / Mdrop-DYF (Sophos)
propagation
- Ability to self-propagation: No
Lacks own spreading routine. You can reach the system in the following ways:
- Another mechanism of propagation
* Downloaded by other malware or downloaded without the user's knowledge to visit an infected Web page.
* Download it to a file-sharing program (P2P).
Infection / Effects
When Mdrop.DYF runs, it performs the following actions:
- Files and folders
Save the following copy of itself
• "% Temp% \ dubmnaxxxzeur.com"
- Keys and registry entries
Create the following registry entry
Key: HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ pol icies \ Explorer \ Run
Value: 30367 = C: \ DOCUME ~ 1 \ alluse ~ 1 \ LOCALS ~ 1 \ Temp \ dubmnaxxxzeur.c om
- Further Details
Create the following process:
• c: \ windows \ system32 \ wuauclt.exe
Try to connect to the following IP addresses:
8.8.4.4:53
Perform the following DNS requests:
downtraff.ru
PART I
Last edited:
