TrojanSpy:Win32/Savnut.A is a trojan that is downloaded and installed by other malware, such as PWS:Win32/Savnut.A. It logs keystrokes and visited URLs, as well as mouse coordinates and screenshots of the desktop.

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

TrojanSpy:Win32/Savnut.A is a trojan that is downloaded and installed by other malware, such as PWS:Win32/Savnut.A. It logs keystrokes and visited URLs, as well as mouse coordinates and screenshots of the desktop.

Installation

TrojanSpy:Win32/Savnut.A may arrive in the computer with a fake Adobe Acrobat certificate and signed as a fake Adobe plugin. It may also be detected as TrojanSpy:Win32/Savnut.A!dll.

Payload

Steals user information
Once loaded, TrojanSpy:Win32/Savnut.A logs user keystrokes and visited URLs. It also logs mouse coordinates and takes screenshots of the browser if any of the websites are accessed:

• desk.net-temps.com
• caixatarragona.es
• washingtonpost.com
• beyond.com
• losangeles.jobing.com
• caixasabadell.net
• ing.ingdirect.es
• pccaja.lacajadecanarias.es
• oie.cajamadridempresas.es

as well as for various banks, including Bank of America and Westpac, and web email services, including Hotmail and Gmail.

Analysis by Matt McCormack

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.