Threat behavior
TrojanSpy:Win32/Maran.AT is a trojan that captures user login details for Yahoo Messenger, several online games, and other web sites.
Installation
This trojan may be installed by other malicious programs, or downloaded posing as another application. When run, Win32/Maran.AT creates a mutex named 'xxselfinstallxx'. It may then drop the following files:
Win32/Maran.AT modifies the registry to run the trojan as a service at each Windows start.:
Adds value: ImagePath
With data: "%windir%\avp.exe"
Adds value: DisplayName
With data: "Audio Adapter"
To subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VGADown\
During installation, the trojan modifies the winsock LSP chain so that the DLL component is loaded into memory when an Internet connection is made.
Payload
Steals Sensitive Data
When an Internet connection is made, the DLL component is injected into running processes for information monitoring purposes. Win32/Maran.AT attempts to capture login information (usernames, passwords and other details) from the online games 'Ragnarok', 'Cabal' and 'Worldwide Soccer Manager'.
This trojan may also capture login credentials for the online chat program, Yahoo Messenger, and may also monitor login details entered to other web sites. This trojan may even capture data from previously installed malicious processes that collect information in log files.
Win32/Maran.AT may send its gathered information to a predefined e-mail address using its own SMTP engine, and predefined SMTP servers.
Analysis by Patrik Vicol
Prevention
