1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Hoardy Activity 4

System Infected: Infostealer.Hoardy Activity 4

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic related to Infostealer.Hoardy.

Additional Information

The Trojan arrives as a malicious email attachment.

When the Trojan is executed, it creates the following files:

%Temp%\spoolsv.exe
%Temp%\1.EXE
%Temp%\wuauclt.exe
%Temp%\spoolsv.exe
%Temp%\csrssc.exe
%Temp%\wmiprvse.exe
%UserProfile%\Application Data\Microsoft\Windows\rasauto.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\sys_log.log
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\sys_log.log
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Outlook.lnk


The Trojan creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\"DEPOff" = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"infme" = ""%TEMP%\wmiprvse.exe""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"Enabled" = 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\"ShownVerifyBalloon" = 0x00000003
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Check_Associations" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"DisableFirstRunCustomize" = 0x00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "about:blank"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\"AutoRecover" = 0x00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"IEHardenIENoWarn" = 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IEHarden" = 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"WarnOnPostRedirect" = 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"WarnOnZoneCrossing" = 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = 0x00000003


The Trojan opens a back door on the compromised computer, and connects to one of the following URLs:

[http://]facebookhello.h1x.com/my[REMOVED]
[http://]www.teleramafr.com
[http://]site.belgiquede.com


The Trojan steals the following information from the compromised computer and sends it to the remote attacker:

Computer name
Windows version


The Trojan may perform the following actions:

Receive and run commands
Download and execute potentially malicious files

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube