Home / malware Trojan.Explod
First posted on 31 March 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Explod.
Explanation :
Once executed, the Trojan creates the following files:
%Windir%\Microsoft\Config.Msi\sdata.sys%Windir%\Microsoft\Config.Msi\pdata.sys%Windir%\Microsoft\Config.Msi\prdata.sys%Windir%\Microsoft\Config.Msi\pdata.sys\TEMP\systmp2.dat%Windir%\Microsoft\Config.Msi\pdata.sys\TEMP\systmp.dat
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winrpt" = "[PATH TO MALWARE]"
The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicrosoftServices\"ImagePath" = "[PATH TO MALWARE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicrosoftServices\"DisplayName" = "Microsoft Services"
The Trojan then opens a back door on the compromised computer, and connects to one or more of the following command-and-control (C&C) servers:
exploreredotnt.infoexploreredotnt.com
Note: If the server is unavailable, the Trojan modifies the original domain name, using its domain generation algorithm (DGA), and attempts to connect to the modified domain. Example modified domains include the following:
edrotntexplore.infoedrotntexplore.comedortntexplore.infoedortntexplore.comedotrntexplore.infoedotrntexplore.comedotnrtexplore.infoedotnrtexplore.comedotntrexplore.infoedotntrexplore.comedotntexrplore.infoedotntexrplore.comedotntexplrore.infoedotntexplrore.comdeotntexplorer.infodeotntexplorer.comdotnetexplorer.infodotnetexplorer.comdotnteexplorer.infodotnteexplorer.com
The Trojan then steals the following information from the compromised computer:
Credentials stored in Internet ExplorerOutlook and Outlook Express credentialsInternet Explorer browsing historyWindows Live and MSN Messenger credentialsInformation stored in Rasphone.pbkWindows autologon credentialsInformation saved in remote desktop configuration (RDP) filesClipboard dataKeystrokes
The Trojan may also download additional malware and add entries to the following registry subkeys so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLast update 31 March 2015