Home / malware Trojan.Commofra
First posted on 23 May 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Commofra.
Explanation :
The Trojan may arrive through phishing emails.
When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\[RANDOM DIGITS].bat%UserProfile%\Application Data\Microsoft\[THREE RANDOM CHARACTERS][RANDOM WORD].exe
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"GlobalUserOffline" = 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Office\Common\[EIGHT RANDOM CHARACTERS]\[10 RANDOM CHARACTERS]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[THREE RANDOM CHARACTERS][RANDOM WORD].exe" = "%UserProfile%\Application Data\Microsoft\[THREE RANDOM CHARACTERS][RANDOM WORD].exe"
Note: [RANDOM WORD] may be one of the following:
windowsvideoupdatesystemsocksharesetupserialmgr32erroredit32cryptconfigcommoncap32bootbiosaudioapi32
The Trojan may perform the following actions:
Inject itself into browser processesFilter all network activityMonitor communicationsSteal information
The Trojan may contact the following hosts:
58.97.0.5:808031.192.210.86:808050.31.152.113:8080204.93.183.196:808094.76.218.166:808069.64.69.191:808069.64.70.26:808050.31.152.124:8080162.248.214.137:8080Last update 23 May 2014
