Home / malwarePDF  

Trojan:Win32/Qidmorks.A


First posted on 12 February 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Qidmorks.A.

Explanation :

Threat behavior Trojan:Win32/Qidmorks.A is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.

Installation

Trojan:Win32/Qidmorks.A copies itself to c:\documents and settings\administrator\application data\13966433\svchost.exe. The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "x86kernel2"
With data: "c:\documents and settings\administrator\application data\13966433\svchost.exe" The malware creates the following files on your PC:

  • \per
  • \perper
  • \perperper


Payload

Changes system security settings

Trojan:Win32/Qidmorks.A adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:

Adds value: "C:\Documents and Settings\Administrator\Application Data\13966433\svchost.exe"
With data: "c:\documents and settings\administrator\application data\13966433\svchost.exe:*:enabled:svchost"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Contacts remote host

The malware might contact a remote host at cloudbizzare.com using port 80. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 9664871cf77983b7ce525a05e905894de4b37017.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    \per
    \perper
    \perperper
    c:\documents and settings\administrator\application data\13966433\svchost.exe
  • You see these entries or keys in your registry:

    Sets value: "x86kernel2"
    With data: "c:\documents and settings\administrator\application data\13966433\svchost.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Sets value: "C:\Documents and Settings\Administrator\Application Data\13966433\svchost.exe"
    With data: "c:\documents and settings\administrator\application data\13966433\svchost.exe:*:enabled:svchost"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Last update 12 February 2014

 

TOP

Malware :

Family: