1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Retgate Activity 3

System Infected: Infostealer.Retgate Activity 3

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activity of Infostealer.Retgate.

Additional Information

The Trojan may arrive through email.

When the Trojan is executed, it creates the following file:
%AppData%\SubFolder\SubFolder\winlogon.exe

The Trojan modifies the following file:
%AllUsersProfile%\Mozilla\Firefox\prefs.js

Note: In prefs.js, the Trojan adds the following settings:
user_pref("network.http.spdy.enabled.v3", false)
user_pref("network.http.spdy.enabled.v3-1", false)
user_pref("network.http.spdy.enabled", false)

The Trojan then modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"EnableSPDY3_0" = "0"

The Trojan injects itself into the following processes:
outlook.exe
firefox.exe
chrome.exe
iexplore.exe

The Trojan may then steal usernames and passwords from Outlook and visited websites before it is encrypted and sent out to the network (hooked APIs).

The Trojan sends stolen information to the following remote location:
[http://]www.securemediaserver.net/ret/gat[REMOVED]

Affected

  • windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube