Home / malware

PDF

Trojan.Volgmer.B

First posted on 15 September 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Volgmer.B.

Explanation :

The Trojan may arrive on the compromised computer after being dropped by a malicious Hangul Word Processor (HWP) document.

When the Trojan is executed, it may create the following files:
%AllUsersProfile%\Start Menu\Programs\Startup\MpCmdRun.exe%Temp%\PMS[SEQUENTIAL NUMBER].tmp%Temp%\AdobeArm.exe%Temp%\svchost.exe%Temp%\qsm.bat%Temp%\msdtcvtre.bat%Temp%\zawq.bat
The Trojan may create the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup" = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup
The Trojan opens a back door on the compromised computer and connects to one of the following locations on port 443:
5.34.168.181200.87.101.34196.4.67.4594.199.145.55
The Trojan may perform the following actions:
Terminate processesTerminate modulesRun commandsDownload filesUpload filesDelete filesExecute commandsCopy data from one file to another Modify file timestampsSet file attributesOverwrite filesList directoriesUpdate malware configurationsSend malware configurationsCreates processesOpen ports and relay trafficDestroy itself
The Trojan may send the following information to the remote location:
Computer nameOS versionHost nameTCP connection listProcess listDrive listCPU nameProcess informationProcessor architecture

Last update 15 September 2015

 

TOP