Home / malware Trojan.Bukflash
First posted on 12 March 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Bukflash.
Explanation :
The Trojan is known to spread by posting links on compromised social media accounts. These links redirect users to Web pages which claim to host a Flash update.
When the Trojan is executed, it creates the following file:
%ProgramFiles%\Flash\first.crx
Next, the Trojan creates the following registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\eloiobpkhmhigoanlnojhnacenlkjaadHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eloiobpkhmhigoanlnojhnacenlkjaad
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\eloiobpkhmhigoanlnojhnacenlkjaad\"version" = "1.0.4"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eloiobpkhmhigoanlnojhnacenlkjaad\"version" = "1.0.4"HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\eloiobpkhmhigoanlnojhnacenlkjaad\"path" = "%ProgramFiles%\Flash\first.crx"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eloiobpkhmhigoanlnojhnacenlkjaad\"path" = "%ProgramFiles%\Flash\first.crx"
The Trojan may then perform the following actions: Gain access to the user's social media profile, photos and personal information.Download and execute filesAttempt to redirect users to other Web pagesLast update 12 March 2014
