Home / malware Trojan:Win32/Drawnetz.A
First posted on 11 February 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Drawnetz.A.
Explanation :
Threat behavior
Installation
Trojan:Win32/Drawnetz.A creates the following files on your PC:
- c:\documents and settings\administrator\application data\avcheck.exe
- c:\documents and settings\administrator\application data\pendencias.exe
- c:\documents and settings\administrator\application data\tfile.jsp
Payload
Changes system security settings
Trojan:Win32/Drawnetz.A disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent. Contacts remote hosts
The malware may contact the following remote hosts using port 80:
- printlux.by
- www.tobiasteka.hu
Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 e5a3560b92831135e02ffee7ad049121cbfdfade.Symptoms
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\documents and settings\administrator\application data\avcheck.exe
c:\documents and settings\administrator\application data\pendencias.exe
c:\documents and settings\administrator\application data\tfile.jsp
- You see these entries or keys in your registry:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemLast update 11 February 2014
