Home / malware Downloader.Picproot
First posted on 26 May 2015.
Source: SymantecAliases :
There are no other names known for Downloader.Picproot.
Explanation :
The Trojan may be dropped by a binary file attached to a malicious email.
Once executed, the Trojan may copy itself to one of the following locations:
%UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll%UserProfile%\Application Data\Microsoft\Credentials\Credentials.exe%UserProfile%\Application Data\Microsoft\SystemCertificates\CREDRIVER.dll %UserProfile%\Application Data\Microsoft\SystemCertificates\Desktop.ini
The Trojan creates the following files:
%UserProfile%\Application Data\Microsoft\Credentials\Credentials.dat%UserProfile%\Application Data\Microsoft\Credentials\Credentials.bak%UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].tmp%UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi
The Trojan then deletes any file with a .dta extension found in the following location:
%UserProfile%\Application Data\Tasks
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Credentials" = "rundll32.exe "%UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll",Embedding"
The Trojan modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\"forceguest" = "0"
The Trojan activates the user HelpAssistant on the compromised computer and adds it to the Administrators group. The Trojan then creates rules to allow incoming traffic through the following TCP ports:
135139445
The Trojan may then connect to one or more of the following remote locations:
air88.ns01.usinfo.acmetoy.comware.compress.tobbs.ccdog.netph11.dns1.us113.10.221.89cham.com.tw
The Trojan may then download one of the following image files containing malware hidden using steganography:
af130901.jpg phh121018.jpgh20141127011.jpgh20140929006.jpgjpg_140430.jpgdfsy.jpgphsy.jpgunderwater.jpgdzh_0925.jpg
The Trojan saves the downloaded files to one or more of the following locations:
%UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].tmp%UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi
The Trojan then decrypts and executes the hidden payload.Last update 26 May 2015