Home / malware Trojan.Potao
First posted on 01 August 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Potao.
Explanation :
When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\Microsoft\[RANDOM ALPHANUMERIC CHARACTERS].dll%UserProfile%\Local Settings\Temp\[RANDOM ALPHANUMERIC CHARACTERS].tmp
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM ALPHANUMERIC CHARACTERS]"="rundll32.exe \%UserProfile%\Application Data\Microsoft\[RANDOM ALPHANUMERIC CHARACTERS].dll\"
The Trojan may display a Microsoft Word document icon on the compromised computer.
The Trojan may open a non-malicious Microsoft Word document when executed on the compromised computer.
The Trojan opens a back door, and connects to one of the following locations to download additional modules:
62.76.184.24562.76.42.1494.242.199.7887.106.44.20084.234.71.215178.239.60.96Last update 01 August 2015
