Home / malwarePDF  

Trojan.Dokabot


First posted on 12 June 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Dokabot.

Explanation :

When the Trojan is executed, it copies itself to the following locations:
%UserProfile%\crss.exe%UserProfile%\Documents\crss.exe%UserProfile%\Downloads\crss.exe
The Trojan may create the following registry keys so that it run whenever the computer is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Document Explorer2 = %UserProfile%\Documents\crss.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Download Manager2 = %UserProfile%\Downloads\crss.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Profile Manager2 = %UserProfile%\crss.exe
The Trojan opens a back door on the compromised computer and connects to a URL chosen by the attacker.

Note: The Trojan allows attackers to enter any URL for the Trojan to connect to.

The Trojan may download potentially malicious files.

Last update 12 June 2015

 

TOP