Home / malware VBS.Cozer
First posted on 28 March 2015.
Source: SymantecAliases :
There are no other names known for VBS.Cozer.
Explanation :
The Trojan is dropped and executed by Trojan.Cozer.
When the Trojan is executed, it creates the following files:
%CurrentDirectory%\waudit\dc%CurrentDirectory%\waudit\GPrun%CurrentDirectory%\waudit\GPLinks
The Trojan deletes the following files:
%UserProfile%\Application Data\ATI_Subsystem\*_*_*.exe%UserProfile%\Local Settings\Temp\ChromeUpdate.exe
The Trojan may use the following executables, which are dropped by Trojan.Cozer:
Psexec.exerar.exesdelete.exediag.ps1
The Trojan then gathers the following information from the compromised computer:
User credentials found in the Domain System VolumeDomain controller computer namesExchange server computer namesComputer names of computers using Windows Server 2008 as the operating systemComputer names of computers using substring "Server" as the operating systemUser credentials for the compromised computerUser credentials for other Domain Controllers in the network
The Trojan saves the information in the following location:
%CurrentDirectory%\waudit
The Trojan may compress %CurrentDirectory%\waudit and save it as the following:
%CurrentDirectory%\[SIX RANDOM CHARACTERS].tmp
The Trojan then uploads %CurrentDirectory%\[SIX RANDOM CHARACTERS].tmp to OneDrive using one of the following strings:
Filename:BudgettestATTbackupconference2014BriefCertificationDivisionContractorsDepartmentNoticeReplicationDocumentTemplateModernizationofficialMeetingCampFinalApprovalInterestingPressSummarysheetTravelSecretarydoc
The Trojan may append the strings with one of the following file extensions:
.doc.docx.rar.pdf.xls.xlsx.bak.pptLast update 28 March 2015
