Home / malware

PDF

Trojan.Denpur

First posted on 07 March 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Denpur.

Explanation :

When the Trojan is executed, it creates the following files:
%SystemDrive%\Documents and Settings\All Users\Application Data/MSI/%SystemDrive%\Documents and Settings\All Users\Application Data/MSI/46ab962a.msi%SystemDrive%\Documents and Settings\All Users\Application Data/MSI/update.msi%SystemDrive%\Documents and Settings\All Users\Application Data/dump21cb.dll
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSSecurity" = "regsvr32.exe" /s /n /I "%SystemDrive%\Documents and Settings\All Users\Application Data\dump21cb.dll"

The Trojan may monitor and steal information from the following processes:
excel.exewinword.exepowerpnt.exevisio.exeacrord32.exenotepad.exewordpad.exeskype.exemsnmsgr.exeoovoo.exenimbuzz.exegoogletalk.exeyahoomessenger.exex-lite.exeiexplore.exefirefox.exeopera.exesafari.exe
The Trojan may steal the following information from the previously mentioned processes:
Network trafficKeystrokesScreenshotsClipboard dataAudio data
The Trojan may send the stolen information to one of the following URLs:
[http://]www.horizons-tourisme.com/_vti_bin/_vti_msc/bb/inde[REMOVED][http://]www.etehadyie.ir/images/public/bb212/inde[REMOVED][http://]www.alexpetro.com/images/training/courses/bb212/inde[REMOVED][http://]www.gezelimmi.com/wp-includes/misc/bb/inde[REMOVED]

Last update 07 March 2015

 

TOP