StealAll.A
Threat LevelDamageDistribution

Effects 

StealAll.A carries out the following actions:

• It steals the information entered by the user in websites containing forms. These web pages can belong to banking entities, email clients, among others.
• This way, StealAll.A obtains confidential information, such as passwords, email addresses, usernames, etc.
• It obtains information about the operating system and the computer, such as the IP address.
• It searches the cookies stored in the affected computer in order to obtain information about the websites the user accesses.
• Then, the data it has gathered is stored in the server www.pc<blocked>se.us/lm_1 in PHP format.

Infection strategy 

StealAll.A creates the following files:

• MSTRANS.DLL, in the Windows directory.
• HELPER.XML, in the Windows system directory.

StealAll.A creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\ {850C7964-9320-4055-BE11-7D7B562A6417
• HKEY_CLASSES_ROOT\ Helper.Helper
  (Default) = Helper Class
• HKEY_CLASSES_ROOT\ Helper.Helper\ CLSID
  (Default) = {850C7964-9320-4055-BE11-7D7B562A6417}
• HKEY_CLASSES_ROOT\ Helper.Helper\ CurVer
  (Default) = Helper.Helper.1
• HKEY_CLASSES_ROOT\ Helper.Helper.1
  (Default) = Helper Class
• HKEY_CLASSES_ROOT\ Helper.Helper.1\ CLSID
  (Default) = {850C7964-9320-4055-BE11-7D7B562A6417}

Means of transmission 

StealAll.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

StealAll.A is written in the programming language Visual C++ v6. This Trojan is 58,880 bytes in size.