Home / malware TrojanDownloader:Win32/Tordow.A
First posted on 31 March 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Tordow.A.
Explanation :
Threat behavior
Installation
This threat can create files on your PC, including:
- %TEMP%\UpdateCV\update.dat
It then decrypts and runs the file which is a malicious executable file.
The decrypted file is typically saved and run in:
- %TEMP% \UpdateCV\installer.exe
- %TEMP% \UpdateCV\update.exe
Note: The downloaded file may vary, as of this writing we detect the downloaded file to be VirTool:Win32/CeeInject.gen!DZ.
This malware also includes itself in the Firewall Authorized Applications list so that network connection is not blocked by the Firewall.
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: ""
With data: ":*:Enabled:Policy"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "6881:TCP"
With data: "6881:TCP:*:Enabled:Policy"
Payload
Downloads malware or unwanted software
This threat can download other malware and unwanted software onto your PC.
After the downloaded file is run, this malware continues to run in the background. It appears to share the copy of the file with peers to spread to other victims.
Symptoms
The following can indicate that you have this threat on your PC:
- In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: ""
With data: ":*:Enabled:Policy"
- In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "6881:TCP"
With data: "6881:TCP:*:Enabled:Policy"Last update 31 March 2015
