Home / malware Trojan.Scieron
First posted on 25 July 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Scieron.
Explanation :
When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\winword.exe%UserProfile%\Application Data\httpsapi.dll%System%\httpsapi.dll
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\https: "rundll32.exe %UserProfile%\Application Data\httpsapi.dll,DllGetObject"
The Trojan may register the malicious DLL file as the following Browser Helper Objects (BHO):
HKEY_CLASSES_ROOT\CLSID\{B8969153-2214-4d23-B02B-FC8B490F8F54}\Default:"Http Security"HKEY_CLASSES_ROOT\CLSID\{B8969153-2214-4d23-B02B-FC8B490F8F54}\InprocServer32\Default:"%System%\mshttp.dll"
The Trojan may create the following mutexes to ensure that only one instance is running:
httpsapi_dll_5_1mshttp_dll_5_1
The Trojan may open a back door and connect to one of the following servers:
ls910329.my03.comcoastnews.darktech.orguudog.4pu.comyellowblog.flnet.orgwww.ndcinformation.acmetoy.comlogoff.ddns.infogjjb.flnet.orgnewdyndns.scieron.comwww.service.authorizeddns.netapple.dynamic-dns.netdemon.4irc.comexpert.4irc.comwill-smith.dtdns.netsskill.b0ne.comrubberduck.gotgeeks.combulldog.toh.infojingnan88.chatnook.comdynamic.ddns.mobianakin129.lflinkup.comMarkshell.etowns.netblackblog.chatnook.comlehnjb.epac.tomydear.ddns.infophotocard.4irc.compricetag.deaftone.comsorry.ns2.namefootball.mrbasic.comnazgul.zyns.comcew58e.xxxy.info
The Trojan may steal the following information:
Computer nameHost nameVersionDrive typeFiles
The Trojan may perform the following actions:
Download and execute remote filesDelete filesMove files to other foldersList directoriesLast update 25 July 2014
