Home / malware

PDF

VBS.Cozer.B

First posted on 28 March 2015.
Source: Symantec

Aliases :

There are no other names known for VBS.Cozer.B.

Explanation :

The Trojan is dropped and executed by Trojan.Cozer.

When the Trojan is executed, it maps the following OneDrive cloud storage account to the compromised computer: \\docs.live.net@SSL\BE4[REMOVED]8ABED
The Trojan then downloads files from this remote location to the following folder: %UserProfile%\Application Data
Next, the Trojan saves the current working directory path to a text file in the following location: \\docs.live.net@SSL\BE4[REMOVED]8ABED \Pictures\[COMPUTER NAME]-[RANDOM NUMBERS].txt
The Trojan then opens files stored in the following location: \\docs.live.net@SSL\BE4[REMOVED]8ABED\Pictures\
The Trojan may then execute files and commands, and records the output to the following location: \\docs.live.net@SSL\BE4[REMOVED]8ABED\Pictures\[COMPUTER NAME]-[RANDOM NUMBERS].txt

Last update 28 March 2015

 

TOP