Installation
This trojan may be installed by other malware and is present as a variably named DLL file, such as "3DVision_280.dll", "AudioSes.dll" and so on. The system registry is modified to execute Spycos when the web browser is launched, as in this example:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{FBEE269C-3039-4E9C-BB33-651B1FB50EF9}
Sets value: "(default)"
To data: "0"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{FBEE269C-3039-4E9C-BB33-651B1FB50EF9}\InprocServer32
Sets value: "(default)"
To data: "<Backdoor:Win32/Spycos.B file name>"
When the trojan runs, it sets up different timers to perform different actions.
Payload
Lowers computer security
Backdoor:Win32/Spycos.B disables the User Access Control (UAC) elevation prompt so that the trojan (and other malware) could execute without a Windows system alert.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
To data: "0"
The trojan attempts to stop, and delete, certain security software services. These are example instructions run by the trojan to stop services:
SC stop AVGIDSAgent
SC stop avg9wd
SC stop AVGWD
SC DELETE AVGIDSAgent
SC DELETE avg9wd
Downloads arbitrary files
Backdoor:Win32/Spycos.B may contact a remote server to download an update of the trojan. The trojan may also download new configuration data that instructs Backdoor:Win32/Spycos.B on other actions to take.
Steal login information
Backdoor:Win32/Spycos.B monitors (or "sniffs") network packets in order to steal login credentials. We observed the trojan intercepting browser access of the following domains for this purpose:
- aapj.bb.com.br
- internetbanking.caixa.gov.br
- santandernet.com.br
- bancobrasil.com.br
One variant of this trojan was observed to send captured login credentials to an email address "imirrum @ globomail.com".
Analysis by Jim Wang