Home / malware Trojan.Uverat
First posted on 17 October 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Uverat.
Explanation :
Once executed, the Trojan creates the following folders:
%UserProfile%\Application Data\syslogdata%UserProfile%\Application Data\syslogdata\exc%UserProfile%\Application Data\syslogdata\macnames%UserProfile%\Application Data\syslogdata\pluginsAgent%UserProfile%\Application Data\syslogdata\tempAgent%UserProfile%\Application Data\syslogdata\blockedAgentMacAddresses%UserProfile%\Application Data\syslogdata\lastAgentMacAddresses%UserProfile%\Application Data\syslogdata\MacidAgent
The Trojan then creates the following file:
%UserProfile%\Application Data\syslogdata\syslog-agent.jar
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"QRat-STartUp-Command" = "[JAVA INSTALL PATH]\javaw.exe -jar "%UserProfile%\Application Data\syslogdata\syslog-agent.jar""
Next, the Trojan connects to one or more of the following command-and-control (C&C) servers:
schelbye.comsoqda.comfrecarn.covaltce.comgtfoods.com.ru
The Trojan then downloads plugins from the C&C servers that enable it to open a back door on the compromised computer.
The Trojan may then perform malicious activities on the compromised computer.Last update 17 October 2015
