Home / malware Trojan.Pitou
First posted on 02 July 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Pitou.
Explanation :
When the Trojan is executed, it creates the following file: %System%\Drivers\[RANDOM CHARACTERS].sys
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"DisplayName" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%System%\Drivers\[RANDOM CHARACTERS].sys"HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\CrashControl\"MinidumpDir" = "%SystemDrive%\Minidump" Next, the Trojan connects to the following command-and-control (C&C) servers: ternexwestern.bizrgnerignioerjg.com
If the Trojan can't connect to its C&C servers, it connects to domains created with its domain generation algorithm (DGA).
The Trojan may then perform the following actions: Download email templates and a list of targeted email addressesHide its registry entries and files using rootkit componentsSend spam emailsLast update 02 July 2015
