Posted: December 12, 2012

Sanny Description

Sanny, christened for one of the e-mail addresses Sanny uses for a C&C server, is a Korean spyware program that steals passwords and other personal information, with current targets limited to Russian PCs in the information technology, education, telecommunication and aeronautical industries. Sanny is installed by a malicious Word document that displays an actual text document to distract its victims from the malicious attacks that also are taking place at the time of its execution. While e-mail safety against malware infection vectors should be considered important for all PC users, for PC users in the above targeted institutions, it's particularly crucial that you avoid opening unusual files – even if they appear to be harmless file types. malware researchers encourage the usage of anti-malware software for removing Sanny if it's necessary, although Sanny also includes some anti-virus components that may require extra steps (as detailed in this article) besides just running a system scan.

Sanny: From Korea to Russia with Anything but Love

Sanny is spammed out to targeted business and government e-mail addresses within Russia (although similar attacks that promote different types of malware are, of course, a global concern). The industries noted earlier in this article are especially at risk, since all of them have been confirmed targets of Sanny's attacks, which appear still to be ongoing. Because Sanny's Trojan dropper (the Trojan that installs Sanny) is disguised as a harmless Word file, you should take care to scan such files with anti-malware products before opening them, especially if they've arrived from unusual e-mail messages.

The Trojan dropper that installs Sanny displays a legitimate text file, but also uses software exploits to drop several components of Sanny (an EXE and two separate DLL files) onto the affected PC. malware researchers note that Sanny launches itself automatically and doesn't display symptoms of its attacks, which are oriented towards gathering confidential information.

Information that Sanny has been noted to steal includes:

  • Outlook Express account information.
  • Browser-stored account information for various websites, particularly e-mail sites and social networking sites.
  • General system information, such as the victimized PC's IP address and corresponding location.

Sanny transmits this information (which appears to be processed in two-day cycles) to several potential C&C servers, beginning with a Korean message board and proceeding to two e-mail addresses if the former is unavailable.

Saving Your Passwords from Sanny's Grabby Fingers

Sanny gathers the above information without showing any symptoms of its functions or, indeed, its presence on your PC at all. For Russian PC users in particular, malware researchers recommend that you use suitable anti-malware products to detect Sanny as necessary. Sanny does include some basic defenses, such as code obfuscation, that may prevent some types of anti-malware products from detecting Sanny accurately. To disable Sanny and guarantee its complete identification as much as possible, you should boot your PC in Safe Mode or load an OS from a removable hard drive. After that, deleting Sanny should be as easy as running an anti-malware scan on your computer.

Since Sanny processes stolen information rapidly, malware experts also suggest that you change any potentially compromised passwords for various accounts, particularly accounts that are related to e-mail or social networking activities.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Sanny may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.