Home / malware Trojan.Dipverdle.B
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Dipverdle.B.
Explanation :
When the Trojan is executed, it creates the following file:
%UserProfile%\Application Data\Microsoft\Windows\svchost.exe
The Trojan then creates the following registry entries:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%UserProfile%\Application Data\Microsoft\Windows\svchost.exe" = "%UserProfile%\Application Data\Microsoft\Windows\svchost.exe:*:Enabled:Microsoft Windows Update"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"WindowsUpdate" = "%UserProfile%\Application Data\Microsoft\Windows\svchost.exe"
Next, the Trojan modifies the following registry entries:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[NETWORK INTERFACE GUID]\"NameServer" = "127.0.0.1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[NETWORK INTERFACE GUID]\"DhcpNameServer" = "127.0.0.1"
The Trojan then connects to the following remote locations: [http://]hoseen45r.com/uplin[REMOVED][http://]62.75.221.37/uplin[REMOVED][http://]setpec14rs.com/uplin[REMOVED][http://]onetimes21s.com/uplin[REMOVED][http://]verification/worlds/test/index[REMOVED]
The Trojan may then perform the following activities:Upload system information and the version of the malware to remote locationsDownload and execute filesModifies the DNS server settings to redirect all Web traffic to a fake website in an attempt to steal personal and financial information.Last update 21 February 2014
