Home / malware Downloader.Gofarer
First posted on 09 December 2015.
Source: SymantecAliases :
There are no other names known for Downloader.Gofarer.
Explanation :
Once executed, the Trojan creates the following files:
%Temp%\~DFDFA[RANDOM CHARACTERS FILE NAME].log%ProgramFiles%\Startup\Gofarer.EXE
The Trojan creates one of the following mutexes to make sure only one instance of itself is running:
fe953017-2e96-4d52-aa5f-adf5144e4bbce511fe20-e960-4b31-a8ab-20837720b0f7
Next, the Trojan connects to the following remote locations:
[http://]www.aucsellers.com/images/notes/img/inde[REMOVED][http://]www.aucsellers.com/rim/images/01/js/js/inde[REMOVED]
The Trojan downloads the following file:
%Temp%\~DFDFA[RANDOM CHARACTERS FILE NAME].exe
The Trojan then deletes the following file:
%Temp%\~DFDFA[RANDOM CHARACTERS FILE NAME].logLast update 09 December 2015
