Home / malwarePDF  

Trojan.Compfun


First posted on 13 May 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Compfun.

Explanation :

When the Trojan is executed, it creates the following files: %Temp%\KB31545547.exe %Temp%\tmpB425.tmp%Temp%\~$tmpRestore.doc%System%\api-ms-win-downlevel-kzpe-l1-1-0._dl %System%\api-ms-win-downlevel-wmeu-l1-1-0._dl
Next, the Trojan modifies the following registry subkeys:
HKEY_CURRENT_USER\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\(Default) = C:\Windows\system\api-ms-win-downlevel-kzpe-l1-1-0._dl HKEY_CURRENT_USER\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\ThreadingModel = ApartmentHKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\(Default) = C:\Windows\system\api-ms-win-downlevel-wmeu-l1-1-0._dlHKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\ThreadingModel = Apartment
The Trojan opens a back door on the compromised computer, and connects to the following domain:
185.26.127.134

The Trojan also collects the following information from the compromised computer:
key pressesscreenshotsclipboard data

Last update 13 May 2015

 

TOP