Home / malware Downloader.Filcout
First posted on 20 June 2014.
Source: SymantecAliases :
There are no other names known for Downloader.Filcout.
Explanation :
When the Trojan is executed, it creates the following registry entries: HKEY_CURRENT_USER\Software\FileScout\"lsttm" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\filescout\"command" = ""[ORIGINAL FILE NAME]" /sc "%1""HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\"filescout" = "Show how to open this file"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\"command" = ""[ORIGINAL FILE NAME]" /open "%1""HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command\"fs_backup" = "%SystemDrive%\system32\rundll32.exe %SystemDrive%\system32\shell32.dll,OpenAs_RunDLL %1"
Next, the Trojan connects to the following remote locations: [http://]softango.com/file-ex[REMOVED][http://]updater-1341016669.us-east-1.elb.amazonaws.com/update/updat[REMOVED][http://]updater-1341016669.us-east-1.elb.amazonaws.com/update/updat[REMOVED][http://]updater-1341016669.us-east-1.elb.amazonaws.com/update/updat[REMOVED]
The Trojan may then download and install Trojan.Sefnit.Last update 20 June 2014
