Home / malware Trojan.Pandemiya
First posted on 12 June 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Pandemiya.
Explanation :
When the Trojan is executed, it creates the following files: C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].exe%System%\[RANDOM CHARACTERS].dll
Next, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Session Manager\AppCertDlls\"[RANDOM CHARACTERS]" = "%System%\[RANDOM CHARACTERS].dll"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].exe"
The Trojan then connects to the following remote locations: [http://][REMOVED]/P4ND3M1CB00BF4C3/12[REMOVED][http://][REMOVED]/aWnBrokeQxPeKunljEDkm/biLwVtsypK[REMOVED]
The Trojan may then perform the following actions: Track processesIdentify newly created processesLoad new modules and pluginsSteal information from Web formsCapture screenshotsRestart the computerGather cookies informationGather system information, such as the OS version and architectureCreate and execute filesRemove files and directoriesDownload filesLast update 12 June 2014
