PayRob.A
Threat LevelDamageDistribution

Effects 

PayRob.A carries out the following actions:

• If the subfolder MSAPPS does not exist in the Windows directory of the affected user, the following message is displayed:
  
  
  which says Cannot create file "C:\windows\msapps\modulo3.txt". The system cannot find the path specified
• It uses the Windows API function called SetFileAttributesA in order to remain hidden in the affected system.
• It steals the PayPal passwords of the affected user.
  PayPal is a service that lets users that have an email account send money or make payments through the Internet.
• It stores the passwords in a text file and sends the data to its author from the server: maira2<blocked>eave.com.

Infection strategy 

PayRob.A creates the following files:

• SPOOLSVR.EXE, in the directory where PayRob.A has been run. However, this file has hidden attibutes assigned in order to go unnoticed, in such a way that users cannot find it.
• MODULO3.TXT, in the subfolder MSAPPS of the Windows directory. This file is only created if the subfolder MSAPPS already exists in the affected computer.
• MODEEXPINOVO.TXT, in the subfolder Temporary Internet Files.

PayRob.A creates the following entry in the Windows Registry:

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  spoolsvr = %path%\SPOOLSVR.EXE
  where %path% is the path where it has been run.
  By creating this entry, PayRob.A ensures that it is run whenever Windows is started.

Means of transmission 

PayRob.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

PayRob.A is written in the programming language Delphi. This Trojan is 762,368 bytes in size.