Home / malwarePDF  

Trojan.Cozer


First posted on 03 April 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cozer.

Explanation :

Once executed, the Trojan creates the following files:
%Temp%\hppscan854.pdf%Temp%\reader_sl.exe%UserProfile%\Application Data\ATI_Subsystem\atiadlxx.dll%UserProfile%\Application Data\ATI_Subsystem\aticfx32.bin%UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll%UserProfile%\Application Data\ATI_Subsystem\clinfo.exe%UserProfile%\Application Data\ATI_Subsystem\coinst_13.152.dll%UserProfile%\Application Data\ATI_Subsystem\racss.dat%Windir%\Tasks\atiapfxx_Client.job%Windir%\Tasks\clinfo_Info.job
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"atipblag_System" = "%UserProfile%\Application Data\ATI_Subsystem\clinfo.exe %UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"amdhwdecoder_Info" = "%UserProfile%\Application Data\ATI_Subsystem\clinfo.exe %UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get"
The Trojan also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"atigktxx_Host" = "%UserAppData%\ATI_Subsystem\clinfo.exe %UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get"
The Trojan disguises itself as a PDF file and once it is executed it will open the following clean PDF file on the compromised computer:
%Temp%\hppscan854.pdf
The Trojan will stop running if any of the following virtual environments are detected:
VMWareParallels WorkstationVirtualBoxSandboxie
The Trojan will also stop running if it detects any of the following security tool processes:
regmon.exewindump.exesyser.exeprocexp.exetcpview.exepetools.exeidag64.exewireshark.exewinspy.exeidaq64.exenetsniffer.exe apimonitor.exe iris.exe
Next, the Trojan may connect to any of the following IP addresses through TCP port 443:
200.119.128.45202.206.232.20
The Trojan may also connect to the following URL:
[https://]twitter.com/monkey[REMOVED]
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Download filesUpload files Execute filesEnd processesCollect system information such as user name, computer name, operating system version, IP address, MAC address, security software installed

Last update 03 April 2015

 

TOP

Malware :

Family: