Home / malware Trojan:Win32/Qidmorks.A
First posted on 27 March 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Qidmorks.A.
Explanation :
Trojan:Win32/Qidmorks.A is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Installation Trojan:Win32/Qidmorks.A copies itself to c:documents and settingsadministratorapplication data13966433svchost.exe. The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "x86kernel2"
With data: "c:documents and settingsadministratorapplication data13966433svchost.exe" The malware creates the following files on your PC:
per perper perperper Payload Changes system security settings Trojan:Win32/Qidmorks.A adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:
Adds value: "C:Documents and SettingsAdministratorApplication Data13966433svchost.exe"
With data: "c:documents and settingsadministratorapplication data13966433svchost.exe:*:enabled:svchost"
To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Contacts remote host The malware might contact a remote host at cloudbizzare.com using port 80. Commonly, malware does this to:Report a new infection to its authorReceive configuration or other dataDownload and run files, including updates or other malwareReceive instructions from a remote hackerUpload data taken from your PCThis malware description was produced and published using automated analysis of file SHA1 9664871cf77983b7ce525a05e905894de4b37017.Last update 27 March 2019