Home / malware W32.Droments
First posted on 13 May 2015.
Source: SymantecAliases :
There are no other names known for W32.Droments.
Explanation :
The worm may arrive by way of a malicious Microsoft Word document. The worm also spreads through networks by using the PsExec tool coupled with stolen network credentials.
Once executed, the worm creates the following files:
%Temp%\[RANDOM DIGITS].exe%Temp%\[RANDOM DIGITS]\[RANDOM DIGITS].exe%Windir%\temp\[MAC ADDRESS].txt%CurrentFolder%\mim.log
The worm then connects to the following remote location and downloads an encrypted executable file:
[https://]andropaul.com/down/men[REMOVED]
The worm decrypts and loads the file without saving it to disk.
The decrypted file may download additional components from the following remote locations:
[https://]andromike.com/down/cashlo[REMOVED][https://]andromike.com/down/psexe[REMOVED][https://]andromike.com/down/mimikat[REMOVED][https://]andromike.com/down/mimikat[REMOVED][https://]andromike.com/down/andro[REMOVED]
The downloaded files are saved to the following locations:
%Temp%\[RANDOM DIGITS].exe%Temp%\[RANDOM DIGITS]\[RANDOM DIGITS].exe
The worm may then perform the following actions on the compromised computer:
Scans the memory of processes running on the compromised computer for payment card track dataGet network credentials from the compromised computer using the Mimikatz tool (Hacktool.Mimikatz)
The worm uploads the stolen information to the following remote location:
[https://]andromike.com/down/log32[REMOVED]
The worm spreads by copying itself to other computers on the network by using the PsExec remote administration tool and the credentials obtained using the Mimikatz tool.Last update 13 May 2015