Home / malwarePDF  

Trojan.Pitou


First posted on 02 July 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Pitou.

Explanation :

When the Trojan is executed, it creates the following file: %System%\Drivers\[RANDOM CHARACTERS].sys
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"DisplayName" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%System%\Drivers\[RANDOM CHARACTERS].sys"HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\CrashControl\"MinidumpDir" = "%SystemDrive%\Minidump" Next, the Trojan connects to the following command-and-control (C&C) servers: ternexwestern.bizrgnerignioerjg.com
If the Trojan can't connect to its C&C servers, it connects to domains created with its domain generation algorithm (DGA).

The Trojan may then perform the following actions: Download email templates and a list of targeted email addressesHide its registry entries and files using rootkit componentsSend spam emails

Last update 02 July 2015

 

TOP