Home / malware Trojan.Premele
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Premele.
Explanation :
The Trojan arrives as a fake Adobe Flash update that must be manually downloaded and executed.
When the Trojan is executed, it creates the following file:
%AllUsersProfile%\ms[RANDOM LETTERS FILE NAME].exe
It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"27677" = "%Windir%\docume~1\alluse~1\ms[RANDOM LETTERS FILE NAME].exe"
The Trojan then modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"TaskbarNoNotification" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"HideSCAHealth" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"HideSCAHealth" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"TaskbarNoNotification" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start" = "4"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = "4"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\"Start" = "4"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
Next, the Trojan may connect to the following remote locations:
[http://]premium.zam99.com/google_checkout/library/and/gate[REMOVED][http://]premium.1981tokyo.com/google_checkout/library/and/gate[REMOVED][http://]premium.zeez-shock.com/google_checkout/library/and/gate[REMOVED]
The Trojan may then download potentially malicious files onto the compromised computer.Last update 21 February 2014
