Home / malware

PDF

Trojan.Tsyrval

First posted on 22 March 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Tsyrval.

Explanation :

The Trojan may be dropped by a specially crafted document which exploits a vulnerability.

When the Trojan is executed, it creates the following files:
%Temp%\[SIX RANDOM DIGITS]%AllUsersProfile%\Application Data\Intel\buuu.dat%AllUsersProfile%\Application Data\Intel\Data\Dtl.dat%AllUsersProfile%\Application Data\Intel\Data\glp.uin%AllUsersProfile%\Application Data\Intel\ResN32.dat%AllUsersProfile%\Application Data\Intel\ResN32.dll%AllUsersProfile%\Application Data\Intel\rundll32.exe%AllUsersProfile%\Application Data\Intel\~1%AllUsersProfile%\Application Data\Intel\~y.dll%AllUsersProfile%\Documents\My Document\Dtl.dat%AllUsersProfile%\Documents\My Document\glp.uin%AllUsersProfile%\Documents\My Document\update\donhi.dat%AllUsersProfile%\Documents\My Document\update\sleptr.dat%AllUsersProfile%\Documents\My Document\update\stage.dat
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = 0x00000001

The Trojan modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%AllUsersProfile%\APPLIC~1\Intel\ResN32.dll"

The Trojan sends system information to the following domains:
tsrvall.microsoft-centre.comtsrvall01.norton-update.com

Last update 22 March 2014

 

TOP