Home / malwarePDF  

Trojan.Hepbot


First posted on 13 June 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Hepbot.

Explanation :

When the Trojan is executed, it creates the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\gpresultl.exe%SystemDrive%\Documents and Settings\All Users\Application Data\en.lock%SystemDrive%\Documents and Settings\All Users\Application Data\log.err%SystemDrive%\Documents and Settings\All Users\Application Data\system.lho
Next, the Trojan creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"gpresultl" = "%SystemDrive%\Documents and Settings\All Users\Application Data\gpresultl.exe"
The Trojan then connects to a remote location which is determined through the malware's builder.

The Trojan may then perform the following actions: Open a back doorLog keystrokesSteal informationCapture screenshots

Last update 13 June 2015

 

TOP