Home / malwarePDF  

Trojan.Feratuser


First posted on 19 June 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Feratuser.

Explanation :

When the Trojan is executed, it creates the following files: %Windir%\Media\Windows Config.wav%System%\frtest.dat
The Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nwcworkstation\"ImagePath" = "%SystemDrive%\System32\svchost.exe -k netsvcs""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nwcworkstation\"DisplayName" = "Internet Router Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nwcworkstation\parameters\"servicedll" = "%System%\frtest.dat""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nwcworkstation\parameters\"servicemain" = "StartMain"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters\"ServiceDllUnloadOnSto" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{B28E0E78-882D-403c-AF4E-BDEC9C8FA37B}\"GroupIndex" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{B28E0E78-882D-403c-AF4E-BDEC9C8FA37B}\"PluginInfo" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{B28E0E78-882D-403c-AF4E-BDEC9C8FA37B}\"ServiceArg" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{B28E0E78-882D-403c-AF4E-BDEC9C8FA37B}\"SrvHash" = "[BINARY DATA]" The Trojan connects to one of the following remote locations: dns.gogogogoogle.com:80update.gogogogoogle.com:443dns.gogogogoogle.com:80update.gogogogoogle.com:443
The Trojan downloads a malicious component from the remote location that it connects to. The Trojan then saves this component in the following registry subkey as encrypted binary data: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{B28E0E78-882D-403c-AF4E-BDEC9C8FA37B}\"SrvCode"
The Trojan then decrypts this malicious component and executes it into memory.

Last update 19 June 2015

 

TOP