Trojan:MSIL/Scapfrog.A is a trojan that steals sensitive information and attempts to send this information back to a remote attacker.
Installation
Trojan:MSIL/Scapfrog.A may be installed unknowingly on the user's computer from a compromised game website.
The trojan drops itself as "administration.exe" under the following directory:
In the wild, we have observed the trojan updating itself by downloading and executing the following file:
The trojan makes the following changes to the registry to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "administration"
With data: "c:\documents and settings\administrator\application data\whitepixel\administration.exe"
Payload
Drops and executes arbitrary files
Trojan:MSIL/Scapfrog.A drops the following file, the purpose of which is to delete the trojan after it has executed:
under the following directory:
- %APPDATA%\whitepixel\administration.exe
Modifies system settings
The trojan makes the following changes to the registry in order reset the font cache:
In subkey: HKCU\Software\Microsoft\GDIPlus
Sets value: "FontCachePath"
With data: "c:\documents and settings\administrator\local settings\application data"
Connects to remote server
Trojan:MSIL/Scapfrog.A attempts to connect to vikiscape.no-ip.biz at TCP port 82 to perform a number of different actions on an affected computer, including:
- Gather and send computer information (for example, Operating system details, MAC (Media Access Control) address, etc…)
- Send details about running processes
- Capture a screenshot of the desktop
- Run or terminate applications, including terminating security software
- Update itself
- Checks connection by connecting to google.com
Analysis by Jaime Wong
