Everyday we discover a huge number of new Trojans. Almost all of them are crimeware related (to steal any kind of credentials, e-mail addresses, etc.). It is common that the hackers, some of them really lazy, use different tools to carry out different actions instead of programming them within the code of the Trojan. This is good for us, as we can see suspicious behaviours when some services or tools are running.
Today I’m going to talk about a new Trojan we have just been dealing with and that uses some Windows features in order to take control of the infected computer.
The Trojan is named Trj/Artesimda.A, it creates a new account in Windows XP, whose user name is “Adminestrator” and the password is “Pass3488585”.
This is what you would see in case you’re infected:
It uses a rootkit in order to hide itself and it starts the Remote Desktop Help Session Manager. As it steals different information (as the IP address) and has a local administrator user account and password, the hacker can remotely connect to the infected computer with full access. It is not the smartest way to control an infected computer, but it is an original one.
It also monitors Internet Explorer traffic and steals all the information entered in websites that contain forms. This way, it could obtain e-mail addresses, as well as usernames & passwords stored in the system, etc. But, not only it obtains all this information but also data about the software and hardware installed on the infected computer.
All the stolen information is sent out to a server located in Hong Kong.