Home / malware Trojan.Downloader.Firu.E
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.Firu.E is also known as Trojan-Downloader.Win32.Firu.dx, Trojan:Win32/Bohmini.A, TROJ_FIRU.Q.
Explanation :
Upon execution this malware (if it didn't do so already) copies itself to the system32 directory (typically C:WindowsSystem32) with a random name consisting of 8 letters and numbers (for example 68S3ynp7.exe or 2B0E7jhj.exe).
The executable created above is scheduled for execution via the "Scheduled Tasks" feature. It creates 24 distinct entires, each scheduled to start every day at a fixed hour (at 00, at 01, 02 and so on until 23). If the Task Scheduler service is stopped, the malware starts it and sets it to auto-start upon reboot.
When executed from the system32 directory, it deletes the file passed to it through the command line (this feature is used to delete the original file once it has copied itself to the system32 directory and started the copy). Upon execution from the system32 directory, the malware injects itself in every running process (because of this, the cleaning must be done from Safe mode).
The malware transmits to a central server informations about the infected sysmtes (the version and product key of the operating systems, the serial number of the hard disk and so on).Last update 21 November 2011
