1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Fysna Activity

System Infected: Infostealer.Fysna Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic related to Infostealer.Fysna.

Additional Information

When the Trojan executes, it creates the following files:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\spoolsv.exe
%UserProfile%\Local Settings\Temp\system.log


The Trojan will also drop the following file:
%UserProfile%\Local Settings\Temp\Tor.exe

The Trojan then connects to the following remote location to get the public IP address of the compromised computer:
[http://]ekiga.net/i[REMOVED]

The Trojan uses the following regular expressions to scan the memory of running processes in order to find sets of strings:

([0-9]{13,19}[=D][0-9]{5,50})\?
([0-9]{13,19}[\^][A-Za-z\s]{0,30}[\/][[A-Za-z\s]{0,30}[\^]([0-9\s]{1,70})\?)


The Trojan will then execute Tor.exe to connect to the following remote locations:

[http://]5ji235jysrvwfgmb.onion/sendl[REMOVED]
[http://]5ji235jysrvwfgmb.onion/recvda[REMOVED]


The Trojan may then perform the following malicious activities:

Log keystrokes and the title of the active window

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube