Home / malware Trojan.Seadask
First posted on 20 March 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Seadask.
Explanation :
Once executed, the Trojan creates the following files:
%Temp%\_MEI13402\pyexpat.pyd%Temp%\_MEI13402\_hashlib.pyd%Temp%\_MEI13402\bz2.pyd%Temp%\_MEI13402\python27.dll%Temp%\_MEI13402\select.pyd%Temp%\_MEI13402\unicodedata.pyd%Temp%\_MEI13402\_ssl.pyd%Temp%\_MEI13402\Crypto.Cipher._AES.pyd%Temp%\_MEI13402\_socket.pyd%Temp%\_MEI13402\_ctypes.pyd
The Trojan is a Python script that is converted to an executable file.
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Upload and download filesUninstall itselfDelete itselfCreate a shortcut to %UserProfile%\Start Menu\Programs\Startup
The Trojan may also create or delete entries under the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The Trojan uses the following string as the default user agent:
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
Next, the Trojan connects to the following command-and-control (C&C) server:
[http://]olssonjohansson.diskstation.me/dokuwiki/searc[REMOVED]
The Trojan uses the following referer and user agent:
Referer: https://www.facebook.com/User agent: Java/1.6.0_13
Note: The C&C server, referer, and user agent may be changed in the Trojan's configuration.Last update 20 March 2015
