Sanny
Posted: December 12, 2012
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 2/10 |
---|---|
Infected PCs: | 55 |
First Seen: | December 12, 2012 |
---|---|
OS(es) Affected: | Windows |
Sanny, christened for one of the e-mail addresses Sanny uses for a C&C server, is a Korean spyware program that steals passwords and other personal information, with current targets limited to Russian PCs in the information technology, education, telecommunication and aeronautical industries. Sanny is installed by a malicious Word document that displays an actual text document to distract its victims from the malicious attacks that also are taking place at the time of its execution. While e-mail safety against malware infection vectors should be considered important for all PC users, for PC users in the above targeted institutions, it's particularly crucial that you avoid opening unusual files – even if they appear to be harmless file types. SpywareRemove.com malware researchers encourage the usage of anti-malware software for removing Sanny if it's necessary, although Sanny also includes some anti-virus components that may require extra steps (as detailed in this article) besides just running a system scan.
Sanny: From Korea to Russia with Anything but Love
Sanny is spammed out to targeted business and government e-mail addresses within Russia (although similar attacks that promote different types of malware are, of course, a global concern). The industries noted earlier in this article are especially at risk, since all of them have been confirmed targets of Sanny's attacks, which appear still to be ongoing. Because Sanny's Trojan dropper (the Trojan that installs Sanny) is disguised as a harmless Word file, you should take care to scan such files with anti-malware products before opening them, especially if they've arrived from unusual e-mail messages.
The Trojan dropper that installs Sanny displays a legitimate text file, but also uses software exploits to drop several components of Sanny (an EXE and two separate DLL files) onto the affected PC. SpywareRemove.com malware researchers note that Sanny launches itself automatically and doesn't display symptoms of its attacks, which are oriented towards gathering confidential information.
Information that Sanny has been noted to steal includes:
- Outlook Express account information.
- Browser-stored account information for various websites, particularly e-mail sites and social networking sites.
- General system information, such as the victimized PC's IP address and corresponding location.
Sanny transmits this information (which appears to be processed in two-day cycles) to several potential C&C servers, beginning with a Korean message board and proceeding to two e-mail addresses if the former is unavailable.
Saving Your Passwords from Sanny's Grabby Fingers
Sanny gathers the above information without showing any symptoms of its functions or, indeed, its presence on your PC at all. For Russian PC users in particular, SpywareRemove.com malware researchers recommend that you use suitable anti-malware products to detect Sanny as necessary. Sanny does include some basic defenses, such as code obfuscation, that may prevent some types of anti-malware products from detecting Sanny accurately. To disable Sanny and guarantee its complete identification as much as possible, you should boot your PC in Safe Mode or load an OS from a removable hard drive. After that, deleting Sanny should be as easy as running an anti-malware scan on your computer.
Since Sanny processes stolen information rapidly, SpywareRemove.com malware experts also suggest that you change any potentially compromised passwords for various accounts, particularly accounts that are related to e-mail or social networking activities.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.