Home / malware Trojan:XML/Updobe.A
First posted on 01 December 2019.
Source: MicrosoftAliases :
Trojan:XML/Updobe.A is also known as Trojan.Script.187190, JS/FFSpy.A, Trojan-Spy.JS.FFSpy.a, JS/FFSpy.
Explanation :
Trojan:XML/Updobe.A is a trojan component installed by TrojanDropper:Win32/Updobe.A. The component contains remote Web server location information for TrojanDropper:Win32/Updobe.A to obtain updates. InstallationTrojan:XML/Updobe.A is installed by TrojanDropper:Win32/Updobe.A and may be present as the following: %APPDATA%AdobeFlashinstall.rdf The following additional files may also exist: %APPDATA%AdobeFlashchrome.manifest
%APPDATA%AdobeFlashinstall.js
%APPDATA%AdobeFlashcontentgoogle.js
%APPDATA%AdobeFlashcontentoverlay.xul
%APPDATA%AdobeFlashcontentoverlay.js
%APPDATA%AdobeFlashcontentoverlay.js.old The registry may be modified to run installed malware as a plugin. Adds value: "{191d3f14-ff4c-4895-bdea-db54526cb49a}"
With data: "%AppData%AdobeFlash"
To subkey: HKCUSoftwareMozillaFirefoxExtensions Payload Displays advertisementsThe malware dropped by TrojanDropper:Win32/Updobe.A hijack search results on Google based on certain keywords. It also monitors the user's browsing behavior and sends information back to 'msjupdate.com'. Advertisements may then be displayed on the system based on the user's search words and browsing behavior. Analysis by Hong Jia and Jireh SanicoLast update 01 December 2019
