TSPY_DAURSO.SMY

This spyware opens a hidden Internet Explorer window.

Arrival Details

This spyware may be downloaded from the following remote site(s):

• http://alesolo.ru/new/controller.php?action=bot&entity_list=&first=0&rnd=981633&uid=1&guid=2847846060

Installation

This spyware drops the following component file(s):

• %System%\drivers\{Random File Name}.sys - detected as RTKT_BUBNIX.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• mutex_io

Backdoor Routine

This spyware opens a hidden Internet Explorer window.

Stolen Information

This spyware saves the stolen information in the following file:

• %ProgramFiles%\FTP Navigator\ftplist.txt

It sends the gathered information via HTTP POST to the following URL:

• http://95.80.200.134/good/receiver/ftp

Other Details

Based on analysis of the codes, it has the following capabilities:

• This spyware steals sensitive FTP credentials of the following FTP client applications: CoreFTP, Ghisler, GlobalSCAPE, FileZilla, FlashFXP, SmartFTP.
• It also searches for files inside the following user folders to look for saved FTP credentials: %Application Data%GlobalSCAPE, %Application Data%FileZilla, %Application Data%FlashFXP, %Application Data%SmartFTP

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)