Home / malware Trojan.Werdlod
First posted on 02 May 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Werdlod.
Explanation :
Once executed, the Trojan copies itself to the following location:
%UserProfile%\AppData\Roaming\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"Macromedia" = "%UserProfile%\AppData\Roaming\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"
The Trojan then opens a back door on the compromised computer and connects to the following remote location:
[http://]133.242.20.14/cartin/imag[REMOVED]
The Trojan may then download potentially malicious files and execute them.Last update 02 May 2015
