Home / malware Trojan:Win32/Cuffahlt.B
First posted on 01 October 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Cuffahlt.B.
Explanation :
Threat behavior
Installation
This threat adds the following registry keys:
- HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8
- HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74
It also modifies the following registry key:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "cmdrun"
With data: "cmd.exe /C ipconfig /flushdns"
Payload
Reroutes network traffic
This threat adds two malicious root certificates and modifies the file dnsapi.dll which allows it to reroute network traffic.
It can also modify the browser certificates of (but not restricted to) the following applications:
- Firefox
- Opera
- Thunderbird
This threat also creates the following folders and file:
\ \ \ \ \ \ .dat
It modifies the following file:
\dnsapi.dll
Analysis by Jody Koo
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
\ - system folder> \
\ \ \ \ .dat
- You see registry modifications such as:
- In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "cmdrun"
With data: "cmd.exe /C ipconfig /flushdns"
- HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8
- HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74
Last update 01 October 2015
