Home / malware Backdoor.Fulario
First posted on 11 June 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Fulario.
Explanation :
When the Trojan is executed, it creates a copy of itself in the following location:
%Temp% \CacheClean.exe
The Trojan creates the following load point:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVir_Update.URL
Note: This is a shortcut that points to %Temp% \CacheClean.exe.
The Trojan creates the following file that contains the running processes:
%Temp% \~Pro75C.DAT
The Trojan opens a back door and may connect to one of the following servers:
[http://]23.245.228.128/jod/updat[REMOVED][http://]23.245.228.128/jod/info[REMOVED][http://]23.245.228.128/jod/info[REMOVED][http://]198.74.114.239/ys/info[REMOVED][http://]www.systeminfo.comule.com/sat/com[REMOVED][http://]www.systeminfo.comule.com/sat/inde[REMOVED][http://]198.55.103.148/kkd/updat[REMOVED][http://]198.55.103.148/kkd/info[REMOVED][http://]198.55.103.148/kkd/info[REMOVED]
The Trojan may perform the following actions
Download and execute remote filesExecute shell commandsCollect and save running processes into a file (%Temp% \~Pro75C.DAT)Send running processes to the back door serversCommunicate whether a proxy is enabled on the compromised computerSend the proxy address to the back door serversVerify the presence of files on the compromised computerLast update 11 June 2014
