Home / malwarePDF  

Backdoor.Uwarrat


First posted on 27 August 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Uwarrat.

Explanation :

When the Trojan is executed, it creates the following files: %UserProfile%\Application Data\warriors.dat%Temp%\bootloader.dec%UserProfile%\Application Data\TEST\WindowsUpdate.exe
Next, the Trojan connects to the following remote location through TCP port 2020: login.collegefan.org
The Trojan then gathers details on software from the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" registry subkey which does not have the following substrings in the "DisplayName" value: HotfixSecurity UpdateUpdate for
Next, the Trojan gathers contents from the following folders: %UserProfile%\Desktop%UserProfile%\Local Settings\Temp%UserProfile%\Cookies%UserProfile%\Documents
The Trojan may then perform the following actions: Gather data on available drivesGather a list of files from specific foldersGather information on monitors that are connected to the computerDownload and upload filesDelete filesRename files and foldersUninstall softwareRestart or shut down the computerEnd its activitiesRestart or delete itself

Last update 27 August 2015

 

TOP