Home / malware Trojan.Chikdos.B
First posted on 05 December 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Chikdos.B.
Explanation :
The Trojan may arrive by exploiting vulnerabilities on targeted websites.
When the Trojan is executed, it creates the following files: %Windir%\svchoost.exe%Temp%\[RANDOM NUMBER]_IEFile.exe%Temp%\[RANDOM NUMBER].exe
The Trojan then creates the following registry entry so that it runs every time Window starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"Run" = "%Windir%\svchoost.exe"
Next, the Trojan creates the following mutex: www.xinhuamei.net:8080
The Trojan then connects to the following remote location through TCP port 8080: www.xinhuamei.net
Next, the Trojan opens the following website using Internet Explorer: [http://]dns.aaii.tv/j8.[REMOVED]
The Trojan then gathers the following system information and sends it to the attackers' remote location: CPU informationWindows OS versionInstalled service pack versionMemory sizeDefault language
The Trojan may then perform DDoS attacks against other computers through TCP port 80.Last update 05 December 2015
