Home / malware

PDF

Trojan.Carberp.D

First posted on 05 September 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Carberp.D.

Explanation :

The threat may arrive on the compromised computer through phishing emails.

Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\Mozilla\svchost.exe%UserProfile%\Application Data\Mozilla\[RANDOM FILE NAME].bin
Next, the Trojan creates the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[EXISTING SERVICE NAME]Sys
Note: [EXISTING SERVICE NAME] is a service name chosen from the list of existing services on the compromised computer.

The Trojan then opens a back door on the compromised computer, and connects to one of the following remote locations over port TCP 443:
185.29.9.28141.255.167.28
The Trojan may then perform the following actions:
Gather account credentials and send them to a remote locationDownload additional malicious components

Last update 05 September 2015

 

TOP