1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Sazoora Activity

System Infected: Infostealer.Sazoora Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Infostealer.Sazoora activity on infected machine.

Additional Information

After the execution, the original sample deletes itself in order to hide its presence in the system.
The malware steals user's information by monitoring the following sites:
https://verified.visa.com
https://www.mastercard.com
https://www.americanexpress.com
https://www.discovercard.com

The following browsers are monitored by the malware:
Firefox
Chrome
Internet Explorer

In order to be executed whenever Windows starts it creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WindowsHost" = "%APPDATA%\WinHost\svchost.exe"

Affected

  • All windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube