Home / malwarePDF  

Trojan.Fotomoto.H


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Fotomoto.H is also known as Trojan.Vundo.

Explanation :

Trojan.Fotomoto.E is an trojan with adware components, monitoring popup activity.
If installed the malware performs the following actions on your computer:

a) It works with random named files in “%windows% emp” directory and connects to a internet server and reports some basic informations about your computer which are stored in a database on that server ( 23.244.141.*** ).

b) It modifies the following registry entry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
"SFCDisable" = "4"

This will stop the Windows File Protection from giving notification on replacement of system files or building a log for events.

c) If creates the following registry entries:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainService HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServicedb_number HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServicedomains_list HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServiceinstallation_id HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServiceinternal_affiliate_id HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainService
ext_url_post_time HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServiceuser_id HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainService HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceDescription with value “DomainService” HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceDisplayName with value “DomainService” HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceErrorControl HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceFailureActions HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceImagePath with the value of the executed malware HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceObjectName HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceStart HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceType HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceSecurity

d) It creates a process that runs as a service which creates an event that in case its process is closed it restarts itself thus changing it’s process ID.

e) It downloads another malware in “%Temp%aupddc.exe” and puts it into “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” registry key. So it’s executed when Windows starts.

f) It modifies the registry key "HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList" so it overruns Windows Firewall and executes itself without the users consent.

Last update 21 November 2011

 

TOP

Malware :