Home / malware Trojan.Arsivir
First posted on 02 February 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Arsivir.
Explanation :
When the Trojan is executed, it creates the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\Chromium.exe%SystemDrive%\Documents and Settings\All Users\Application Data\a_chrome.exe%SystemDrive%\Documents and Settings\All Users\Application Data\free.exe%UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\[EXTENSION ID]\bg.txt%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Extensions\[EXTENSION ID]\bg.txt
Next, the Trojan creates the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Chromium" = "%SystemDrive%\Documents and Settings\All Users\Application Data\Chromium.exe"
The Trojan then attempts to overwrite the following files with %SystemDrive%\Documents and Settings\All Users\Application Data\Chromium.exe: %UserProfile%\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe%UserProfile%AppData\Local\Yandex\YandexBrowser\Application\browser.exe%ProgramFiles%\Mozilla Firefox\firefox.exe%ProgramFiles%\Opera\launcher.exe
Next, the Trojan modifies the following registry entries: HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" = "0"HKEY_LOCAL_MACHINE, Software\Policies\Google\Update\"UpdateDefault" = "0"
The Trojan then adds the following URLs to %System%\drivers\etc\hosts: 127.0.0.1 tools.google.com127.0.0.1 clients4.google.com
The Trojan then connects to the following remote locations: www.filmver.comwww.neran.netwww.pornokan.com
The Trojan may then download executables, updates, and Chrome extensions.Last update 02 February 2015