Home / malware Virus:Win32/Murofet.A
First posted on 06 October 2010.
Source: SecurityHomeAliases :
Virus:Win32/Murofet.A is also known as Trojan horse Downloader.Generic10.WCF (AVG), Trojan.Packed.196 (Dr.Web), Trojan-Downloader.Win32.Murofet (Ikarus), Generic.dx!ubo (McAfee), W32/Murofet-A (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), Trojan.Fortemp!inf (Symantec).
Explanation :
Virus:Win32/Murofet.A is a detection for a virus that infects Windows executable files and attempts to download arbitrary files from various domains.
Top
Virus:Win32/Murofet.A is a detection for a virus that infects Windows executable files and attempts to download arbitrary files from various domains. Spread via€¦ Infects files Virus:Win32/Murofet.A infects Windows Portable Executable (PE) files. The virus routine uses a cavity infection method to insert its code into free space between the first and second sections of the host file. Payload Downloads and executes arbitrary files Virus:Win32/Murofet.A infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time. The URL has the following pattern: http://<generated_domain_name>/forum/ It uses one of the following top level domains:.com .biz .org .net .info In the wild, we have observed Virus:Win32/Murofet.A generating the following domains:kzoildszuspuovoq.biz fxkuintqxykyoq.net shirquzmsjpdzmm.com The virus generates 800 of these URLs, saving the downloaded file to the %TEMP% directory. At the time of writing, if the virus contacts a domain that is active, the file it downloads is detected as PWS:Win32/Zbot.gen!Y.
Analysis by Amir FoudaLast update 06 October 2010
