1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Snifula Activity 9

System Infected: Trojan.Snifula Activity 9

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

The signature detects Infostealer.Snifula activity on compromised machine

Additional Information

When Infostealer.Snifula is executed, it performs the following actions:

Copies itself as the following file:

%System%\138762763.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Drops the following files:

%ProgramFiles%\Mozilla Firefox\components\AppInterConn.dll
%ProgramFiles%\Mozilla Firefox\components\AppInterConn.xpt
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\[RANDOM].default\chrome\chrome.rdf
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\[RANDOM].default\chrome\overlayinfo\browser\content\overlays.rdf
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\[RANDOM].default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\chrome.manifest
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\[RANDOM].default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\install.rdf
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\[RANDOM].default\extensions\{1d58a41c-b1a5-4c8f-94bf-6350f2809b06}\chrome\numberedlinks.jar

Note:
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube