Home / malwarePDF  

Trojan.Miuref.B


First posted on 25 March 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Miuref.B.

Explanation :

When the Trojan is executed, it copies itself to the following location: %UserProfile%\Application Data\[RANDOM CHARACTERS]\[SAMPLE NAME].exe
The Trojan then creates the following registry entries so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\[RANDOM CHARACTERS]\[SAMPLE NAME].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CLSID]" = "%CurrentFolder%\[SAMPLE NAME].exe"
Next, the Trojan connects to the following remote locations: 1.web-counter.info2.web-counter.info3.web-counter.info4.web-counter.info5.web-counter.infoservice8.org
The Trojan then downloads files with the following extensions to %UserProfile%\Application Data\[RANDOM CHARACTERS]\[RANDOM CLSID]: .lck.txt.dat.idx
The Trojan may further download malicious Firefox and Chrome extensions.

Next, the Trojan gathers the following system information and sends it to the remote attacker: Processor typeOS informationCountry/language informationBIOS informationPrimary display monitor information

Last update 25 March 2015

 

TOP