Home / malware Trojan:Win32/Emotet.B
First posted on 28 May 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Emotet.B.
Explanation :
Threat behavior
Installation
Trojan:Win32/Emotet.B copies itself to c:\documents and settings\administrator\application data\microsoft\pkdsetup.exe. The malware creates the following files on your PC:
The malware uses code injection to make it harder to detect and remove. It can inject code into running processes, including the following:
- c:\documents and settings\administrator\application data\8537768.bat
- _avpm.exe
- adware.exe
- antivirus.exe
- asktao.exe
- AUPDATE.EXE
- AVGW.EXE
- avp32.exe
- avpcc.exe
- blackice.exe
- ccenter.exe
- cmd.exe
- DRWEB32.EXE
- egui.exe
- ekrn.exe
- ElementClient.exe
- explorer.exe
- fsav.exe
- game.exe
- InoRT.exe
- kav.exe
Payload
Contacts remote hosts
Trojan:Win32/Emotet.B may contact the following remote hosts using port 8080:
- 173.236.86.214
- 182.253.237.6
- 185.4.66.179
- 192.163.232.235
- 202.143.185.107
- 204.93.183.196
- 31.192.210.86
- 58.97.0.5
- 72.9.156.20
- 80.48.62.18
- 80.91.191.158
Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 9a98a16d31412711b6475c42cac0cf415341fbc0.Symptoms
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\documents and settings\administrator\application data\8537768.bat
c:\documents and settings\administrator\application data\microsoft\pkdsetup.exeLast update 28 May 2014
