Home / malwarePDF  

Downloader.Tenirem


First posted on 31 July 2015.
Source: Symantec

Aliases :

There are no other names known for Downloader.Tenirem.

Explanation :

When the Trojan is executed, it creates the following file: %UserProfile%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\system.pif
Next, the Trojan connects to the following remote location: [http://]www.infotech-automation.com/images/[RANDOM CHARACTERS]/[RANDOM CHA[REMOVED]
The Trojan saves the file downloaded from this remote location under the following file name and executes it: %SystemDrive%\ProgramData\Microsoft-KB518060.exe
The Trojan then creates the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"AutoconfigURL" = "[https://]alarmtonnel.com/akama[REMOVED]"
The Trojan may then perform the following actions: Run PowerShell commandsDownload and execute files

Last update 31 July 2015

 

TOP