- Threat Encyclopedia
- Malware
- TSPY_USTEAL.USRJ
Mal/RufTar-C (Sophos) ,Trojan horse PSW.Generic10.BNGG (AVG) ,W32/ZBOT.CDL!tr (Fortinet) ,W32/Usteal.C.gen!Eldorado (generic, not disinfectable) (Fprot) ,Trojan-Spy.Win32.Usteal (Ikarus) ,HEUR:Trojan.Win32.Generic (Kaspersky) ,Trojan:Win32/Ransom.FO (Microsoft) ,PWS-FAPK!83050FBF1095 (McAfee) ,probably a variant of Win32/Spy.Usteal.C trojan (Eset) ,Trojan-Spy.Win32.Usteal.da (v) (Sunbelt)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Downloaded from the Internet, Dropped by other malware
This USTEAL variant drops a ransomware detected as TROJ_RANSOM.SMAR, which is created by a new toolkit builder.
To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
77,824 bytes
EXE
Yes
23 Apr 2014
Connects to URLs/IPs, Steals information, Drops files
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware adds the following folders:
It drops and executes the following files:
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
Information Theft
This spyware gathers the following data:
Stolen Information
This spyware saves the stolen information in the following file:
Drop Points
Stolen information is uploaded to the following websites:
Other Details
This spyware connects to the following URL(s) to get the affected system's IP address:
NOTES:
It attempts to steal stored account information of the following installed FTP clients or File Managers:
It also attempts to steal stored email credentials:
This spyware attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:
This spyware attempts to retrieve stored information such as user names and passwords from the following instant messenger:
This spyware attempts to retrieve stored information such as user names and passwords from the following games:
This spyware attempts to retrieve stored information such as user names and passwords from the following Windows applications:
9.700
10.744.03
23 Apr 2014
10.745.00
24 Apr 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by TSPY_USTEAL.USRJ. (Note: Please skip this step if the threat(s) listed below have already been removed.)
Step 3
Search and delete this folder
Step 4
Scan your computer with your Trend Micro product to delete files detected as TSPY_USTEAL.USRJ If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.