Home / malware Backdoor.Glasrats
First posted on 02 December 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Glasrats.
Explanation :
When this Trojan is executed, it creates the following files: %AllUsersProfile%\Application Data\update.dll%AllUsersProfile%\Application Data\updatef.dll%AllUsersProfile%\Application Data\net317rs.dll%AllUsersProfile%\Application Data\ovss725y.dll
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\Select\"Default" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters\"ServiceDll" = "[MALWARE PATH]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\"Start" = "2"
Next, the Trojan connects to the following remote locations: qx.rausers.comxx.rausers.combits.foryousee.nettestforyou.jwm.uk.org.com112.175.41.71
The Trojan may then perform the following actions: Send system information such as OS version, computer name, and IP addressUpload or download filesExecute files and commandsStart an interactive command shellLast update 02 December 2015
