The Trojan has been translated to English and split into three main components:
- NCRDRVP Windows Service (NCRWMI.exe) - Performs keyboard hooking to receive commands from criminals through ATM keypad, and loads the Dispatcher.
- Dispatcher (ServiceP.dll) - Receives instructions from NCRDRVP through a raw socket and executes Ploutus.
- Ploutus (Ploutos.exe) - Interacts with the ATM Software to dispense money.
When the Trojan is executed, the Trojan creates the following files:
The log.txt file is updated with all actions performed by the Trojan.
The Trojan creates the following Windows service using the LocalSystem account:
The Trojan creates the following registry entries:
The Trojan relies on a configuration file named Config.ini located in the same place where the malicious binary was stored in the file system.
The Trojan then opens a back door on the compromised ATM, allowing an attacker to perform the following actions:
- Dispense all money in the ATM
- Activate the Trojan on demand
- Read all cardholder information entered through the keypad
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":