Home / malware Trojan.Downeks
First posted on 30 April 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Downeks.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\Download Excute.exe%UserProfile%\Start Menu\Download Excute.LNK
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Download Excute" = "%UserProfile%\Application Data\Download Excute.exe"
The Trojan may then connect to one or more of the following command-and-control (C&C) servers:
[http://]kolabdown.sytes.net/dw/se[REMOVED][http://]noredirecto.redirectme.net/dw/se[REMOVED][http://]fastbingcom.sytes.net/dw/se[REMOVED][http://]safara.sytes.net/se[REMOVED][http://]198.105.122.96/dw/se[REMOVED]
The Trojan may then download potentially malicious files from URLs specified by the C&C server.
The Trojan also gathers the following information from the compromised computer and sends it to the attacker:
Host nameUser nameOperating system versionMAC addressHard disk volume serial numberScreenshots
The Trojan also checks for the existence of directories in %ProgramFiles% with the following strings:
avira avast avg eset kasperskyalwil onecare security mcafee symantec norton defender bitdefender
The Trojan reports the existence of any of the previously mentioned directories to the attacker.Last update 30 April 2015