Home / malware TrojanDownloader:Win32/Chanitor.A
First posted on 01 October 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Chanitor.A.
Explanation :
Threat behavior
Installation
TrojanDownloader:Win32/Chanitor.A copies itself to the following locations:
The malware changes the following registry entries so that it runs each time you start your PC:
- c:\documents and settings\administrator\local settings\temp\winlogin.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "winlogin"
With data: "c:\documents and settings\administrator\local settings\temp\winlogin.exe"
Payload
Contacts remote host
TrojanDownloader:Win32/Chanitor.A might contact a remote host at icanhazip.com using port 443. Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 eb673847739efa22cb71f2d9cf50b15a6167e7d3.Symptoms
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\documents and settings\administrator\local settings\temp\winlogin.exe
- You see these entries or keys in your registry:
Sets value: "winlogin"
With data: "c:\documents and settings\administrator\local settings\temp\winlogin.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLast update 01 October 2014
