Troj/CashGrab-A is a password-stealing Trojan aimed at customers of banking websites.
Troj/CashGrab-A will spy on a user's browsing habits for banking URLS. The Trojan will then attempt to steal login information.
Troj/CashGrab-A will connect to a remote site to download further files and data.
Troj/CashGrab-A is a password-stealing Trojan aimed at customers of banking websites.
Troj/CashGrab-A will spy on a user's browsing habits for banking URLS. The Trojan will then attempt to steal login information.
Troj/CashGrab-A will connect to a remote site to download further files and data.
When first run, Troj/CashGrab-A will drop the following files:
UPDATE.SYS - Text file containing a URL
SETUP.CMD - DOS batch file, used to delete Trojan installation files
%SYSTEM%\WINDOWS.IDN - Text file containing data
%SYSTEM%\WINST.MSI - Text file containing a URL
%SYSTEM%\MSUPDATE.DLL - Troj/CashGrab-A
%SYSTEM%\WINSETUP.EXE - Troj/CashGrab-A
In order to run automatically each time Internet Explorer starts, Troj/CashGrab-A will install MSUPDATE.DLL as a Browser Helper Object. The following registry branches will be created:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKCR\msupdate.IEHelperOP
In particular, the following registry entry will be created:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\InprocServer32
(default)
%SYSTEM%\msupdate.dll