Home / malware Trojan:Win32/Flydop.A
First posted on 05 February 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Flydop.A.
Explanation :
Threat behavior
Installation
Trojan:Win32/Flydop.A copies itself to %windir%\update.exe. The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "iedop.exe"
With data: "c:\windows\\update.exe" Sets value: "Shell"
With data: "explorer.exe c:\windows\\update.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Contacts remote hosts
Trojan:Win32/Flydop.A may contact the following remote hosts using port 80:
- tj.tchuisuo.com
- xos.xxooss.com
Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 88993f33415aa51eedbcc6521e027f5fc67c360d.Symptoms
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
%windir%\update.exe
- You see these entries or keys in your registry:
Sets value: "iedop.exe"
With data: "c:\windows\\update.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Shell"
With data: "explorer.exe c:\windows\\update.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonLast update 05 February 2014
