PandaLabs has detected the appearance of Spymaster.A, a Trojan designed to steal all types of information from computers. It combines spyware and keylogger characteristics, enabling it to capture everything from information about users’ Internet usage to user names and passwords entered for services such as online banking. Moreover, it can stealthily pass itself off as the MSN Messenger application so that users remain unaware of its dangerous presence on their systems.
As with most Trojans, Spymaster.A is not able to spread by itself, and therefore needs the intervention of a malicious user. It can reach computers as an attachment to email messages, or could be downloaded from web pages, P2P applications, instant messaging systems or infected CDs or diskettes.
After it reaches a computer, should a user run the file that contains Spymaster.A, a copy of this Trojan is created as a file called syscont.exe. The process associated to this file has the name Win servico. However, it uses a stealth system by which if the user views active processes in the task manager, they will only see it as a process supposedly corresponding to MSN Messenger. This process actually hides the actions of Spymaster.A. Similarly, it creates several Windows registry entries to ensure that it runs every time the computer starts up.
The Trojan also creates a text file called syslogy.cc. This file stores data on the programs used on the computer, web pages visited and all information entered on the keyboard. This is the file that will be sent, via FTP, to an address from which the attacker can collect it.
According to Luis Corrons, director of PandaLabs: “Keylogger Trojans are usually used by cyber-crooks to steal confidential information for fraudulent purposes. Given that, nowadays, financial gain is the main motivation for the creators of malicious code, it is almost certain that more examples will appear, and that they will be increasingly sophisticated and difficult to detect. The way that Spymaster.A hides the process in memory is a good example of this.”
To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, at http://www.activescan.com/. Webmasters who would like to include ActiveScan on their websites can get the HTML code free from http://www.pandasoftware.com/partners/webmasters.
Panda Software clients that don’t yet have TruPrevent Technologies have the updates available to install them along with their antivirus and ensure they have prevented protection against unknown viruses and intruders. For users with a different antivirus program installed, Panda TruPrevent(TM) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is updated, decreasing the risk of infection.
