Home / malware TrojanDownloader:Win32/Pikot.A
First posted on 31 July 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Pikot.A is also known as Trojan.Win32.Pikot.b (Kaspersky), W32/Suspicious_Gen2.BZUM (Norman), Trojan horse Generic.KZI (AVG), Trojan.Pikot.B (BitDefender), Trojan.Pinkdot (Dr.Web), Trojan.Win32.Pikot (Ikarus), Downloader-ASA (McAfee), Trojan.StartPage (Sunbelt Software), Trojan.StartPage (Symantec).
Explanation :
TrojanDownloader:Win32/Pikot.A is a trojan that attempts to download and execute arbitrary files from a specified domain.
Top
TrojanDownloader:Win32/Pikot.A is a trojan that attempts to download and execute arbitrary files from a specified domain. Payload Downloads arbitrary files TrojanDownloader:Win32/Pikot.A attempts to download an executable file from the domain €œpinkdot.co.kr€. The downloaded file is saved to the Windows system folder with a file name that starts with three random letters, followed by any one of the following strings:svc.exe man.exe mgr.exe srv.exe For example: <system folder>\ayvmgr.exe Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Note: At the time of writing, the aforementioned executable file was already inaccessible. If the trojan successfully downloads and executes the executable file, it contacts the domain €œpinkdot.co.kr€ to indicate it€™s success, as well as create the following registry entries: Adds value: "sp2" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\syscmgr Adds value: "spfs" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\syscmgr
Analysis by Amir FoudaLast update 31 July 2010
