A new trojan has surfaced, named Infostealer.Predet by Symantec researchers. The trojan modifies registry entries, logs keystrokes directly steals all types of important information from user PCs and even spreads to removable drives. But most importantly the trojan masks itself as WindowsUpdate.exe executable so that it runs on system start up. Users should be extremely careful since this is a very popular gaming malware that also steals Steam and Minecraft credentials as well as email passwords and is also reported to spread via games.
|Short Description||The trojan’s payload carrying executable resembles Windows Update.|
|Symptoms||The user may witness the symptoms outlined in the description in this article plus may see some other unexplained activities on the computer.|
|Distribution Method||Via Steam and Spam mail.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Infostealer.Predet|
|User Experience||Join our forum to discuss Gaming Malware.|
WindowsUpdate.exe Gaming Trojan – How Did I Get It?
One way that this trojan may use to distribute itself is by utilising spam bots on gaming engines such as Steam which is widely used by PC games. The trojan is distributed mainly in Windows 7, Windows Xp and Vista computers.
Steam users may witness unfamiliar users adding them and promising them free game giveaways, as a part of a Black Friday or Christmas promotions. The message may feature a web link to the ‘giveaway’ which is actually the malicious link inserting the payload of the trojan.
Another way this trojan may use is via spam or spoof mails pretending to be from a website the user is registered in. Usually cybercriminals tend to collect user information via cookies or using other methods before actually infecting the computer itself.
Windows Update.exe Gaming Trojan – What Does It Do?
Symantec researchers report that once the trojan has been executed it modifies the following object:
It then creates a registry entry for the process WindowsUpdate.exe which is it`s payload to run every time the computer starts up. The registry key and its value is:
→“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = “%AppData%\WindowsUpdate.exe”
This trojan then could try to run as Administrator on the computer.
Once done that, it starts deleting files:
External Removable Drive:
The trojan also has the ability to terminate processes and clear user data. It also can interact with Steam and delete key steam files that may cause the user to log out.
This cyber threat may also delete or stop key system processes and services.
Windows Task Manager
Windows Registry Editor
This infostealer then begins to gather info about the infected system:
→Computer name;CPU name;Server name;OS platform;OS version;.NET version;Predator version;Predator services status: keylogger, clipboard-logger, report frequency, stealers;Local date and time;Installed language;Installed AVs;Installed;Firewalls;Internal and External IPs
After doing so, the questionable cyber threat is reported to directly steal vital user information from the computer:
→Bitcoin wallet.dat;Email credentials;Browser credentials;Downloader credentials;Internet Downloader ;Manager credentials;Minecraft credentials;Steam credentials;PIN screenshots from RuneScape and EpicBot video games.
Also, symantec report that this trojan has the ability to perform other related tasks to its sole purpose which is to steal data:
→Display fake error messages;Log all keystrokes;Download and execute files;Visit websites;Delete cookies from IE and Firefox browsers;Block certain websites;Spread to removable drives
Since the severity of this threat it is highly advisable to take special precautions when some of the symptoms outlined above are seen and to immediately change all of the passwords on your accounts from a safe PC.
Removing WindowsUpdate.exe Gaming Trojan Completely
In order to remove this nasty threat it is important to isolate it first. You can do this by entering in safe mode without networking and scanning your computer with malware removing tool like shown in the step-by-step tutorial below. However the best method of isolating the threat is to boot your computer in a live operating system and then unlock and scan the file-systems with it, however it is a more tech-savvy solution, because you need to select the right OS that has file-unlocking features.
Here is a tutorial on how to boot into a live OS to scan your PC:
And here is a more automatic solution via booting in safe mode to remove the WindowsUpdate.exe Trojan: