Home / malware TrojanDownloader:Win32/Neojit.A
First posted on 04 April 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Neojit.A is also known as Trojan/Win32.Buzus (AhnLab), Trojan.Buzus!JJj3PKAEFcA (VirusBuster), TR/Buzus.kzswna (Avira), Trojan.Win32.Buzus (Ikarus), Trojan.Win32.Buzus.kzsw (Kaspersky).
Explanation :
TrojanDownloader:Win32/Neojit.A is a trojan that downloads arbitrary files from a predefined website.
Top
TrojanDownloader:Win32/Neojit.A is a trojan that downloads arbitrary files from a predefined website.
Installation
When run, TrojanDownloader:Win32/Neojit.A creates a randomly named copy of itself into the %ALLUSERSPROFILE% folder, for example:
- %ALLUSERSPROFILE%\t3c2h72pq31a\jifjpfwdxn3cptx.exe
- %ALLUSERSPROFILE%\k2xch2ffwfsip\m7fe1khrjvt.exe
The registry is modified to run the trojan at every Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "<malware path and file name>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%ALLUSERSPROFILE%\t3c2h72pq31a\jifjpfwdxn3cptx.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%ALLUSERSPROFILE%\k2xch2ffwfsip\m7fe1khrjvt.exe"
Payload
Downloads arbitrary files
TrojanDownloader:Win32/Neojit.A attempts to connect to the following websites to downloaded arbitrary files:
- c.g3log.com.br
- whm2.saogotardo.com.br
Analysis by Jireh Sanico
Last update 04 April 2012
