Home / malware Trojan.Fleercivet
First posted on 03 December 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Fleercivet.
Explanation :
The Trojan is able to detect if the computer is a virtual machine. If it is, then the Trojan does not compromise the virtual machine.
When the Trojan is executed, it creates the following files: %ProgramFiles%\@system.temp%UserName%\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe
Next, the Trojan creates the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"GoogleUpdate" = "%UserName%\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe"
The Trojan then connects to the following remote locations: http:\\www.telize.com\geoiphttp:\\www.telize.com\geoiphttp:\\seastarnew.com\image\tools1.ico
The Trojan may then perform the following actions Download and execute additional files or BAT scriptsCreate a mutex named "_HSJ909NJJNJ90203_"Inject code into svchost.exe to hide itselfGather geolocation dataForce the compromised computer to click on ads through Internet Explorer without the user's knowledgeLast update 03 December 2014