Home / malwarePDF  

Downloader.Chanitor


First posted on 04 January 2015.
Source: Symantec

Aliases :

There are no other names known for Downloader.Chanitor.

Explanation :

When the Trojan is executed, it creates the following files:
%AppData%\Windows\%AppData%\Windows\winlogin.exe
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\"cfg" = "{[GUID]}SERV }[HOSTNAME]"

The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winlogin" = "%AppData%\Windows\winlogin.exe"

The Trojan may connect to the following domains:
api.ipify.orgho7rcj6wucosa5bu.tor2web.org
The Trojan then downloads and executes files from a remote location.

Last update 04 January 2015

 

TOP