Home / malware

PDF

Trojan:Win32/Netfosor.A

First posted on 30 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Netfosor.A.

Explanation :

Threat behavior

Installation

Some versions of this sample have been seen to set themselves up to run automatically using the following registry key:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "%appdata%\svchost.exe"
With data: "360v"

Payload

Downloads and runs files

This threat can receive commands from a hacker to download and run files on your PC. The output of the files, when run, is then sent back to the command and control server (C&C).

Allows backdoor access and control

Depending on what the hacker commands this threat to do to your PC, this threat can:

• settime - set your PC's time
• drive - send back to the C&C server what letters you use for your logical drives (A: to Z:)
• list - sends information about your file system back to the C&C server
• down - uploads the contents of a local file back to a server
• upload - downloads a remote file from a server into your PC
• open - runs a local file while gathering its output; this command only works if the year is 2014 or earlier

We've observed the C&C server to be microsoften.com. A hardcoded user name and password is used to connect to the C&C server.

This threat can also report the infected PC's local network IP address back to the C&C server.

Additional information

If this threat is run with SYSTEM privileges, it determines the user name of the currently logged on Remote Desktop Protocol user, and then impersonates that user. Their user account is used to do the payload and the user name is reported back to the C&C server.

Symptoms

Alerts from your security software may be the only symptom.

Last update 30 January 2014

 

TOP