This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detect Infostealer.Monstres communicating and requesting information from its controlling server.
When the Trojan is executed, it creates the following mutex to ensure that only one copy of the threat is running on the computer:
It checks for the presence of the following firewall programs:
Next, the Trojan copies itself to the following location and appends a random amount of data to the file in order to have a random size:
It creates the following folder with system and hidden attributes:
The Trojan then creates the following files, the first of which is used to save gathered information and the second is used to store the encrypted configuration of the Trojan:
Next, the Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"pathx" = [MALWARE_ORIGINAL_FILENAME]
It also modifies the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\ntos.exe"
Next, it injects malicious code into the following running processes:
It attempts to create a malicious thread in all running processes except for the following one:
The Trojan creates some of the following mutexes to synchronize all active threads while running in memory:
The injected code will prevent the removal of the Trojan by blocking access and deletion of all of the malicious files and by regenerating all of the registry subkeys associated with the Trojan when they are deleted.
Next, it may add the following registry entries as infection markers for the compromised computer:
HKEY_LOCAL_MACHINE\Software\microsoft\windows nt\currentversion\network\"UID" = "[COMPUTERNAME]_[UNIQUE_ID]"
It then hooks the following system functions of NTDLL.DLL using rootkit techniques to ensure that its code gets injected into each process:
The Trojan attempts to hook the following functions in the WININET.DLL library to have control of network functionalities and to steal sensitive information:
It attempts to hook the following functions in the WS2_32.DLL and WSOCK32.DLL libraries to have control of network functionalities and to steal sensitive information:
The Trojan may perform the following actions when visiting the Web sites:
* Intercept network traffic
* Redirect traffic
* Steal sensitive data
The Trojan can steal sensitive information from the monster.com Web site by using an employer/recruiter account which is provided by an attacker. It downloads the details for the account from the following location:
Next, the Trojan logs in to the following monster.com Web sites using the provided account:
It then searches for all available resumes, stealing the following information from each resume:
* Email address
* Home address
* Mobile and home phone numbers
Next, it attempts to post the stolen information to the following Web site:
The Trojan may contact the following site to get instructions for spam and additional configuration information:
It sends spam email and attempts to contact the following SMTP server:
- Windows 2000
- Windows 95
- Windows 98
- Windows Me
- Windows NT
- Windows Server 2003
- Windows Vista, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.