Follow:

You have been re-routed to the Trojan:Win32/Refeys.A write up because Trojan%3aWin32%2fRefeys.A has been renamed to Trojan:Win32/Refeys.A
 

Trojan:Win32/Refeys.A


Trojan:Win32/Refeys.A is a trojan that steals information about your computer. It then sends this information back to certain websites.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

When run, this trojan opens Wordpad without your knowledge. It then injects its code into Wordpad to avoid detection by your security software. Other samples of this trojan might also open Internet Explorer without your knowledge and inject its code there.

It might create a copy of itself in your computer as "%USERPROFILE%\temp\7.tmp.exe".

It creates the following entry in your system registry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "MicrosoftUpdate"
With data: "%USERPROFILE%\temp\7.tmp.exe"

Payload

Steals computer information

It gathers the following information about your computer:

  • User name of the currently logged-on user
  • Your computer name
  • What version of Windows your computer has
  • What timezone your computer is in
  • Whether you have access to a Smart card

It also runs a module that logs keystrokes and gets screenshots.

It then sends the information to any of the following websites:

  • zcoxe.org
  • cxeoh.org
  • oexvc.org
  • kecex.org
  • czexf.org
  • fexkc.org
  • xcfse.org
  • axcre.org
  • ecxka.org
  • zbexc.org
  • czexk.org
  • ecxrb.org
  • xbekc.org
  • cxerh.org
  • rexvc.org
  • evkxc.org
  • vecxh.org
  • xvsec.org
  • oehxe.org
  • xfezo.org

Analysis by Jeong Mun


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %USERPROFILE%\temp\7.tmp.exe
  • The presence of the following registry modification:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "MicrosoftUpdate"
    With data: "%USERPROFILE%\temp\7.tmp.exe"


Prevention


Alert level: Severe
First detected by definition: 1.147.1017.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Apr 04, 2013
This entry was first published on: Apr 04, 2013
This entry was updated on: Apr 22, 2013

This threat is also detected as:
  • Trojan/Win32.PornoAsset (AhnLab)
  • TR/Refeys.A (Avira)
  • BackDoor.Chimerka.1 (Dr.Web)
  • Trojan-PWS.Win32.Fareit (Ikarus)
  • PWS-Zbot.gen.ary (McAfee)
  • Troj/Rorpian-BK (Sophos)