Home / malwarePDF  

Trojan.Tubrosa


First posted on 08 September 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Tubrosa.

Explanation :

The Trojan must be executed by the user.

When the Trojan is executed, it creates the following files:
C:\Documents and Settings\All Users\Application Data\Macromedia\Flash Player\#SharedObjects\3Z7DKHU2\s.ytimg.com\soundData.sol C:\Documents and Settings\All Users\Application Data\Macromedia\Flash Player\#SharedObjects\3Z7DKHU2\www-cdn.jtvnw.net\jtv_settings.sol C:\Documents and Settings\All Users\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\settings.sol C:\Documents and Settings\All Users\Application Data\sychost\appdomain
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsNT = "C:\Documents and Settings\All Users\Application Data\sychost\appdomain.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties = 0x0000
The Trojan creates the following registry entry on computers running Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\[APPLICATION NAME] = "7000"

The Trojan creates the following registry entry on computers running other Windows operating systems:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\[APPLICATION NAME} = "7000"

The Trojan attempts to install Flash Player for Internet Explorer.

The Trojan creates the following file:
C:\Documents and Settings\All Users\Application Data\sychost\appdomain.exe

appdomain.exe contains the dropper and watchdog (a Nullsoft installer).

appdomain.exe may execute and install itself into the registry so that it runs after the compromised computer is rebooted.

appdomain.exe may drop the following file and relaunch it every time it is terminated:
C:\Documents and Settings\All Users\Application Data\sychost\sychost.exe

sychost.exe may perform the following actions:
Automatically watch YouTube.com videos while hidden Download a list of videos from [http://]loserboy.in/me/video[REMOVED] Alter the computer's volume settings Check that appdomain.exe is installed and running in the registry Attempt to install Adobe Flash Player 14 for Internet Explorer from [http://]ge.tt/api/1/files/9bxN7Cq1/0/bl[REMOVED] if it is not already installed Alter Internet Explorer's emulation settings Maintain a constant amount of active emulated browsers to watch YouTube.com videos Hide emulated windows Retrieve pseudo-random values from [http://]loserboy.in/me/getu[REMOVED] and [http://]loserboy.in/me/getre[REMOVED]

Last update 08 September 2014

 

TOP