A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5376  by EP_X0FF
 Wed Mar 09, 2011 11:37 am
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1299583180
Trojan Info Stealer.

Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run as documents and settings\user\local settings\application data\microsoft\plugins\sync_user.exe
Also in plugins folder stored configuration file and payload dll packed by UPX. Sensitive strings are additionally encrypted.
*paypal*
*visa*
*mastercard*
*neteller*
*paysafe*
*money*
*liberty*
*bank*
*login*
*user*
*email*
*Email*
*e-mail*
*password*
*Password*
*PassWord*
*Pass*
*pass*
*username*
*Username*
*userName*
*User*
*account*
*Account*
*paymentPanelList*
*credit_card*
*user*
*card_number*
*xsellCheck*
*creditcard*
*cc_acct_num*
*cc_number*
*creditcard_cvv*
*pay_num*
*mod10_check]*
*txt_credit_card_number*
*cardHolderName*
*cc_no*
*Kartennr*
*[Number]*
*x-acc1*
*dob=*
*cvc2*
*cvcv2*
*CardNumber*
*cardnumber*
*VISA*
*MASTERCARD*
*Visa*
*Mastercard*
*visa*
*mastercard*
*csrfts*
Connects with 92.241.162.201