Backdoor:Win32/Spycos.A is a trojan that allows unauthorized remote access of your computer. The trojan could steal your online banking credentials by tricking you into entering them while displaying a false login screen. The trojan may also lower your computer's security by disabling certain security software services.
Installation
If run, this trojan installs a copy of Backdoor:Win32/Spycos.A as a file named "modulo.dll". The trojan also modifies your system registry to execute Spycos when the web browser is launched, as in this example:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{4DF58D21-6368-4CCE-9B4D-E36EFEAC28FE}
Sets value: "(default)"
To data: "0"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{4DF58D21-6368-4CCE-9B4D-E36EFEAC28FE}\InprocServer32
Sets value: "(default)"
To data: "c:\modulo.dll"
When the trojan runs, it sets up different timers to perform different actions.
Payload
Lowers computer security
Backdoor:Win32/Spycos.A disables the UAC elevation prompt so that the trojan (and other future malware) could execute without a Windows system alert.
The trojan attempts to stop, and delete, certain security software services, for example AVG security.
Downloads arbitrary files
Backdoor:Win32/Spycos.A may contact a remote server to download an update of the trojan and it may download new configuration data that instructs Backdoor:Win32/Spycos.A on other actions to take.
Steals login information
Backdoor:Win32/Spycos.A may display a fake logon page so it can capture your logon credentials and distribute them to a remote attacker. We observed the trojan intercepting browser access of the following domains for this purpose:
- mail.live.com
- internetbanking.caixa.gov.br
The following is one example of a fake "caixa" web login page that is displayed by this trojan - it resembles the actual login page:
One variant of this trojan was observed to send captured login credentials to an email address "imirrum @ globomail.com".
Analysis by Jim Wang
