1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Limitail Activity 62

System Infected: Infostealer.Limitail Activity 62

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic related to Infostealer.Limitail

Additional Information

When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\Microsoft\SysAudio.exe

Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location:
%UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information:
Keystrokes
Title bars of open windows
The stolen information is then sent to the following location in an email format:
limitlessmail.3owl.com/LimitlessEmail.php

Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location:
%UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information:
Keystrokes
Title bars of open windows
The stolen information is then sent to the following location in an email format:
limitlessmail.3owl.com/LimitlessEmail.php

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube