My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web examined new spyware targeting accounting programs

June 27, 2016

Some of modern Trojans are complex multicomponent malicious programs that can perform a wide variety of functions. In this paper, we are going to focus on a dropper Trojan which was named Trojan.MulDrop6.44482, whose sample was kindly provided by Yandex. This malware is intended to spread other malicious programs including a dangerous spyware designed to attack accounting departments of Russian companies.

Trojan.MulDrop6.44482 is distributed as an installer that checks the system for the presence of such anti-viruses as Dr.Web, Avast, ESET or Kaspersky. If it detects one of them, or if the computer does not use the Russian localization of Windows, the dropper terminates itself. In any other cases, it saves the 7z packer and a password-protected archive on the disk. Then it retrieves files from the archive one by one. Among them, there are several programs and dynamic libraries that serve different purposes. One of the unpacked programs, which Dr.Web detects as Trojan.Inject2.24412, is a Trojan that is embedded into malicious libraries’ processes launched on the infected computer. The second program unpacked by the dropper is Trojan.PWS.Spy.19338—a spyware Trojan that sends texts entered into the windows of various programs including accounting ones.

Trojan.PWS.Spy.19338 is launched directly in the computer’s memory without saving it on the disk in decrypted form. At that, the disk contains its encrypted copy. The main purpose of this Trojan is to log keystrokes and to collect information about the system. Besides, the keylogger module sends data from the clipboard history to virus makers. Trojan.PWS.Spy.19338 can run programs with or without their intermediate save on the disk. Every module of the Trojan performs its own functions.

All information sent by Trojan.PWS.Spy.19338 to the server is encrypted first with the RC4 algorithm and then—with XOR. The Trojan saves logged keystrokes on the disk as a special file and transmits its content to the server every minute. The Trojan also sends the name of the window the keystrokes in which were logged. The malicious program monitors the user activity in the following applications:

  • 1C version 8
  • 1C version 7 and 7.7
  • SBIS++
  • Skype
  • Microsoft Word
  • Microsoft Excel
  • Microsoft Outlook
  • Microsoft Outlook Express and Windows Mail
  • Mozilla Thunderbird

In addition, the Trojan collects information about connected devices for Smart Card use. Separate components of Trojan.PWS.Spy.19338 allow to send information about the computer’s system to the C&C server.

Dr.Web Anti-virus detects and removes all the above-mentioned malware programs. Therefore, they do not pose any thereat to our users. Doctor Web specialists would like to thank Yandex for providing the Trojan’s sample for research.

More about Trojan.MulDrop6.44482

More about Trojan.PWS.Spy.19338

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments