W32/Sincom!tr

description-logoAnalysis

  • Trojan is 32bit with a compressed file size of 7712 bytes
  • Trojan may have been installed by W32/DL.3072-net, downloaded from the Internet and copied to the local system as "sproc32.exe" - the registry may be altered to load the Trojan at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Sproc32 = undefinedWindowsundefined\sproc32.exe

  • At next Windows restart, the Trojan may log keystrokes into a file "c:\xf3e.tmp"
    The Trojan may connect to the Internet and send data to hard-coded email addresses -

    testaddr23@hotbox.ru
    testaddr23@mail15.com

Telemetry logoTelemetry