Remove Spymel Trojan Completely - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Spymel Trojan Completely

Spymel is the name given by Zscaler researchers to a newly found Trojan horse. The Trojan can spy on all user activity. It may log keystrokes and steal information on a compromised computer and send the data to a remote location.

NameSpymel
TypeTrojan, Infostealer
Short DescriptionThe Trojan is an infostealer type. It connects to a Command and Control server to receive and execute commands. All gathered information is sent back to the attacker.
SymptomsThe Trojan steals data, including keystroke information. It can spy on all user activity.
Distribution MethodTargeted Attacks, Email Attachments
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Spymel
User Experience Join our forum to discuss Spymel.

Spymel Trojan – Delivery

The most typical way that you can get infected with the Spymel Trojan horse is via an email attachment. The email attachment is usually a .zip archive containing a JavaScript file. Once that file is run, the malware is downloaded and installed on a compromised machine.

Another delivery method is by installing the Trojan manually as software pretending to be helpful. Instead, you are getting the malware injected into your computer. What is known to spread such infections are browser exploits, such as plugins, extensions, or suspicious sites with malicious code on them.

Spymel Trojan – Technical Information

Spymel is classified as a Trojan horse. The Trojan is an infostealer type. The malware executable containing the files and settings of Spymel has a clever design. According to Zscaler researchers, it tries to conceal its origin and also gain authenticity by hiding behind stolen certificates of the software publisher SBO Invest. That way, security programs may not have detected it a few days ago, when it was discovered to be its first attack.

Once executed on a compromised machine, the Spymel Trojan begins creating files masked as the Windows’ svchost process:

→%AppData%\Roaming\ProgramFiles(32.1)\svchost.exe
%AppData%\Roaming\ProgramFiles(32.1)\svchost.exe.tmp
%AppData%\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Startup32.1.exe
%UserProfile%\Application Data\ProgramFiles(32.1)\svchost.exe
%UserProfile%\Application Data\ProgramFiles(32.1)\svchost.exe.tmp
%UserProfile%\Start Menu\Programs\Startup\Startup32.1.exe

To remain persistant and run itself and its settings with every start of Windows, the Trojan makes the following registry entries:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\AppPath\”%UserProfile%\Application Data\ProgramFiles(32.1)\svchost.exe”

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSidebar(32.1)

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\Startup32.1.exe

After these operations, the Trojan will modify Windows Firewall settings, and connect remotely to a Command and Control server. The location of the server is with the address 213.136.92.111 on port 1216, hidden in the Spymel Trojan’s settings:

STF-spymel-trojan-horse-command-control-server-remote-location-file-registry-settings
Source: Zscaler

When connected to the remote server, all gathered information will be sent to it, including keystroke logs. From that Command and Control server, the Spymel Trojan can receive commands that do the following actions:

  • Send information of user names, OS, started processes, video module flag, titles of active windows.
  • Send information about drives in system.
  • Send information about folders and files for certain locations.
  • Delete a file or folder.
  • Execute a specific file.
  • Rename a specific file or folder.
  • Uninstall itself.
  • Upload logs of keystrokes to the Command and Control server.
  • Upload requested files to the Command and Control server.
  • Search for a string in all keylogging files.
  • Delete a keylogging file.
  • Send a Desktop screenshot.
  • Download files from a URL.
  • Switch video recording On and Off.
  • Provide settings of video recording for explicit processes.

To make matters worse, the Trojan has a protection implemented in itself called ProtectMe, which makes shutting Spymel down manually, impossible, while that protection is intact. Its purpose is to look for and close all tools like TaskMgr, Procexp, ProcessHacker and Taskkill, which are all used for process termination.

Spymel Trojan – Removal

The Trojan horse can spy on you, gain access to all kinds of data on your computer and also may infect you with different malware if left untouched. All gathered information can be sent back to hackers, and be used for profit. To completely get rid of the Spymel Trojan horse from your computer, carefully follow the step-by-step removal instructions provided below.

Manually delete Spymel

Note! Substantial notification about the Spymel threat: Manual removal of Spymel requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Spymel files and objects.
2.Find malicious files created by Spymel on your PC.
3.Fix registry entries created by Spymel on your PC.

Automatically remove Spymel from your computer

1. Remove Spymel with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Spymel in the future
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...