Home Malware Programs Botnets Sanny

Sanny

Posted: December 12, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 55
First Seen: December 12, 2012
OS(es) Affected: Windows

Sanny, christened for one of the e-mail addresses Sanny uses for a C&C server, is a Korean spyware program that steals passwords and other personal information, with current targets limited to Russian PCs in the information technology, education, telecommunication and aeronautical industries. Sanny is installed by a malicious Word document that displays an actual text document to distract its victims from the malicious attacks that also are taking place at the time of its execution. While e-mail safety against malware infection vectors should be considered important for all PC users, for PC users in the above targeted institutions, it's particularly crucial that you avoid opening unusual files – even if they appear to be harmless file types. SpywareRemove.com malware researchers encourage the usage of anti-malware software for removing Sanny if it's necessary, although Sanny also includes some anti-virus components that may require extra steps (as detailed in this article) besides just running a system scan.

Sanny: From Korea to Russia with Anything but Love

Sanny is spammed out to targeted business and government e-mail addresses within Russia (although similar attacks that promote different types of malware are, of course, a global concern). The industries noted earlier in this article are especially at risk, since all of them have been confirmed targets of Sanny's attacks, which appear still to be ongoing. Because Sanny's Trojan dropper (the Trojan that installs Sanny) is disguised as a harmless Word file, you should take care to scan such files with anti-malware products before opening them, especially if they've arrived from unusual e-mail messages.

The Trojan dropper that installs Sanny displays a legitimate text file, but also uses software exploits to drop several components of Sanny (an EXE and two separate DLL files) onto the affected PC. SpywareRemove.com malware researchers note that Sanny launches itself automatically and doesn't display symptoms of its attacks, which are oriented towards gathering confidential information.

Information that Sanny has been noted to steal includes:

  • Outlook Express account information.
  • Browser-stored account information for various websites, particularly e-mail sites and social networking sites.
  • General system information, such as the victimized PC's IP address and corresponding location.

Sanny transmits this information (which appears to be processed in two-day cycles) to several potential C&C servers, beginning with a Korean message board and proceeding to two e-mail addresses if the former is unavailable.

Saving Your Passwords from Sanny's Grabby Fingers

Sanny gathers the above information without showing any symptoms of its functions or, indeed, its presence on your PC at all. For Russian PC users in particular, SpywareRemove.com malware researchers recommend that you use suitable anti-malware products to detect Sanny as necessary. Sanny does include some basic defenses, such as code obfuscation, that may prevent some types of anti-malware products from detecting Sanny accurately. To disable Sanny and guarantee its complete identification as much as possible, you should boot your PC in Safe Mode or load an OS from a removable hard drive. After that, deleting Sanny should be as easy as running an anti-malware scan on your computer.

Since Sanny processes stolen information rapidly, SpywareRemove.com malware experts also suggest that you change any potentially compromised passwords for various accounts, particularly accounts that are related to e-mail or social networking activities.

Loading...