Spymel is the name given by Zscaler researchers to a newly found Trojan horse. The Trojan can spy on all user activity. It may log keystrokes and steal information on a compromised computer and send the data to a remote location.
|Short Description||The Trojan is an infostealer type. It connects to a Command and Control server to receive and execute commands. All gathered information is sent back to the attacker.|
|Symptoms||The Trojan steals data, including keystroke information. It can spy on all user activity.|
|Distribution Method||Targeted Attacks, Email Attachments|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Spymel|
|User Experience||Join our forum to discuss Spymel.|
Spymel Trojan – Delivery
Another delivery method is by installing the Trojan manually as software pretending to be helpful. Instead, you are getting the malware injected into your computer. What is known to spread such infections are browser exploits, such as plugins, extensions, or suspicious sites with malicious code on them.
Spymel Trojan – Technical Information
Spymel is classified as a Trojan horse. The Trojan is an infostealer type. The malware executable containing the files and settings of Spymel has a clever design. According to Zscaler researchers, it tries to conceal its origin and also gain authenticity by hiding behind stolen certificates of the software publisher SBO Invest. That way, security programs may not have detected it a few days ago, when it was discovered to be its first attack.
Once executed on a compromised machine, the Spymel Trojan begins creating files masked as the Windows’ svchost process:
To remain persistant and run itself and its settings with every start of Windows, the Trojan makes the following registry entries:
After these operations, the Trojan will modify Windows Firewall settings, and connect remotely to a Command and Control server. The location of the server is with the address 220.127.116.11 on port 1216, hidden in the Spymel Trojan’s settings:
When connected to the remote server, all gathered information will be sent to it, including keystroke logs. From that Command and Control server, the Spymel Trojan can receive commands that do the following actions:
- Send information of user names, OS, started processes, video module flag, titles of active windows.
- Send information about drives in system.
- Send information about folders and files for certain locations.
- Delete a file or folder.
- Execute a specific file.
- Rename a specific file or folder.
- Uninstall itself.
- Upload logs of keystrokes to the Command and Control server.
- Upload requested files to the Command and Control server.
- Search for a string in all keylogging files.
- Delete a keylogging file.
- Send a Desktop screenshot.
- Download files from a URL.
- Switch video recording On and Off.
- Provide settings of video recording for explicit processes.
To make matters worse, the Trojan has a protection implemented in itself called ProtectMe, which makes shutting Spymel down manually, impossible, while that protection is intact. Its purpose is to look for and close all tools like TaskMgr, Procexp, ProcessHacker and Taskkill, which are all used for process termination.
Spymel Trojan – Removal
The Trojan horse can spy on you, gain access to all kinds of data on your computer and also may infect you with different malware if left untouched. All gathered information can be sent back to hackers, and be used for profit. To completely get rid of the Spymel Trojan horse from your computer, carefully follow the step-by-step removal instructions provided below.
Manually delete Spymel
Note! Substantial notification about the Spymel threat: Manual removal of Spymel requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.