Gmail passwords are stolen by the Geemarc Trojan

The main task of the Geemarc Trojan is to obtain usernames and passwords for Gmail mailboxes.

The Geemarc Trojan modifies the registry after creating many files. In the case of new files, it also uses random characters, so it may become somewhat more difficult to identify it. However, an important tell-tale sign is that in each case it creates a folder called MateMedia in the Program Files directory and tries to "impersonate" itself as an application called G-Archiver.

The main goal of Geemarc is to gain access to various usernames and passwords by monitoring the user's Internet activity. The malware specializes in obtaining login information for Gmail mailboxes.

When the Geemarc Trojan starts, it performs the following actions:

1. Create the following files:
% UserProfile% \ Desktop \ G-Archiver 1.0.lnk
% UserProfile% \ Start Menu \ Programs \ MateMedia \ G-Archiver \ G-Archiver 1.0.lnk
% ProgramFiles% \ MateMedia \ G-Archiver 1.0 \ G-Archive \ Banner.gif
% ProgramFiles% \ MateMedia \ G-Archiver 1.0 \ G-Archiver 1.0.exe
% ProgramFiles% \ MateMedia \ G-Archiver 1.0 \ G-ArchiverIcon.ico
% ProgramFiles% \ MateMedia \ G-Archiver 1.0 \ License.rtf
% ProgramFiles% \ MateMedia \ G-Archiver 1.0 \ Mail.dll
% ProgramFiles% \ MateMedia \ G-Archiver 1.0 \ SM.dll
%Windir%\Installer\{CE5F519C-E1E6-4DBC-9466-233F156244C7}\_6FEFF9B68
218417F98F549.exe

/>%Windir%\Installer\{CE5F519C-E1E6-4DBC-9466-233F156244C7}\_72F4B9A36
36570A0827CE3.exe

/>%Windir%\Installer\{CE5F519C-E1E6-4DBC-9466-233F156244C7}\_A01885BE2
01430C921BA79.exe

2. Create the following directories and files:
% Windir% \ Installer
% Windir% \ Installer \ [random characters] .msi
% Windir% \ Installer \ [random characters] .msi

3. Create temporary files in the% UserProfile% \ Local Settings \ Temp directory.

4. Create the following entries in the registration database:
HKEY_CURRENT_USER \ Software \ Microsoft \ Installer \ Assemblies
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninsta
ll\{CE5F519C-E1E6-4DBC-9466-233F156244C7}

/> HKEY_LOCAL_MACHINE \ Software \ Classes \ Installer \ Assemblies
HKEY_CURRENT_USER \ Software \ Microsoft \ Installer \ Products \ C915F5EC6E1E
CBD4496632F35126447C

/> HKEY_CURRENT_USER \ Software \ Microsoft \ Installer \ UpgradeCodes \ DC62B62C
2A90373449E4936579767009

/> HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Install
er \ Folders \ C: \ Program
Files”MateMedia” = ” “
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Install
er \ Folders \ C: \ Program
Files \ MateMedia ”G-Archiver 1.0 ″ =” ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Install
er \ Folders \ C: \ Program
Files \ MateMedia \ G-Archiver 1.0 ″ G-Archive ”=” ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Install
er \ Folders \ C: \ DocumentsandSettings \ AllUsers \ StartMenu \ Programs ”MateMe
day
"=" "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Install
er \ Folders \ C: \ DocumentsandSettings \ AllUsers \ StartMenu \ Programs \ MateMed
ia ”G-Archiver
"=" "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Install
er\Folders\C:\Windows\Installer”{CE5F519C-E1E6-4DBC-9466-233F156244C7
} ”
= ” “

5. You are trying to obtain usernames and passwords for mailboxes created in Gmail.