Home / malware Trojan.Carberp.C
First posted on 20 December 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Carberp.C.
Explanation :
When the Trojan is executed, it creates the following files: %Temp%\tmp[RANDOM].tmp%Temp%\NTFS.sys
The Trojan may then create data files in the following folder:
%UserName%\Application Data\Microsoft\Crypto\RSA\KEYS
Next, the Trojan creates a mutex in any of the following formats: Global\UACNTFS[VOLUME SERIAL NUMBER]"Global\BDNTFS[VOLUME SERIAL NUMBER]"Global\INSNTFS[VOLUME SERIAL NUMBER]"
The Trojan then connects to the following command-and-control servers: thaipwid.comtogedidd.comlefgiecy.comcapthefi.com
Next, the Trojan generates domains. It has been observed generating the following domains: opcpvbsq34rqlel6be.cnels84xpvs4o4f58chd.comunszaci61qd84sedqi.cnxmelbsnd8g4rkln8wb.biz
The Trojan then connects to the following remote location and downloads a file to the %Temp% folder: [http://]thaipwid.com/lowrybmwchtm/up.[REMOVED]
Next, the Trojan sends the following system information to the attacker's remote location: File system typeUser name used to execute the malwareFile path and name of the executed file (such as %SystemDrive%\invoice.exe)Time & date of compromiseProcess ID and parent PID
The Trojan then downloads additional plugins under the following file names: host.datupdate.dat[VOLUME SERIAL NUMBER]_32.dat[VOLUME SERIAL NUMBER]_64.datlist32.datlist64.dat
The Trojan may then use list32.dat to steal confidential information sent from the Chrome, Internet Explorer, FireFox, and Opera web browsers.Last update 20 December 2014
