Home / malware Trojan.Pittyger
First posted on 18 July 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Pittyger.
Explanation :
When the Trojan is executed, it creates the following files:
%Temp%\~awinhp.tmp[THREAT LOCATION]\.txt%Temp%\ldwc.bat%Temp%\verclsid.exe
It then creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "explorer.exe, [THREAT LOCATION]\[THREAT FILE NAME].exe"
Next, the Trojan connects to one or more of the following command-and-control (C&C) servers:
zeng.skypetm.com.twaniu.skypetm.com.twsophos.skypetm.com.tw
The Trojan gathers the following information from the compromised computer and sends it to the attacker:
Host nameUser nameOperating system and patch informationList of open TCP ports and processes running on themInstaller services and software informationIP address and ethernet information
It may then perform the following actions on the compromised computer:
Create a mutex named "PittyTiger"Open a back door on the compromised computerUpdate the C&C server listUpload and download filesLast update 18 July 2014
