Home / malwarePDF  

Trojan.Cozer


First posted on 03 April 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cozer.

Explanation :

Once executed, the Trojan creates the following files:
%Temp%\hppscan854.pdf%Temp%\reader_sl.exe%UserProfile%\Application Data\ATI_Subsystem\atiadlxx.dll%UserProfile%\Application Data\ATI_Subsystem\aticfx32.bin%UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll%UserProfile%\Application Data\ATI_Subsystem\clinfo.exe%UserProfile%\Application Data\ATI_Subsystem\coinst_13.152.dll%UserProfile%\Application Data\ATI_Subsystem\racss.dat%Windir%\Tasks\atiapfxx_Client.job%Windir%\Tasks\clinfo_Info.job
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"atipblag_System" = "%UserProfile%\Application Data\ATI_Subsystem\clinfo.exe %UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"amdhwdecoder_Info" = "%UserProfile%\Application Data\ATI_Subsystem\clinfo.exe %UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get"
The Trojan also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"atigktxx_Host" = "%UserAppData%\ATI_Subsystem\clinfo.exe %UserProfile%\Application Data\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get"
The Trojan disguises itself as a PDF file and once it is executed it will open the following clean PDF file on the compromised computer:
%Temp%\hppscan854.pdf
The Trojan will stop running if any of the following virtual environments are detected:
VMWareParallels WorkstationVirtualBoxSandboxie
The Trojan will also stop running if it detects any of the following security tool processes:
regmon.exewindump.exesyser.exeprocexp.exetcpview.exepetools.exeidag64.exewireshark.exewinspy.exeidaq64.exenetsniffer.exe apimonitor.exe iris.exe
Next, the Trojan may connect to any of the following IP addresses through TCP port 443:
200.119.128.45202.206.232.20
The Trojan may also connect to the following URL:
[https://]twitter.com/monkey[REMOVED]
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Download filesUpload files Execute filesEnd processesCollect system information such as user name, computer name, operating system version, IP address, MAC address, security software installed

Last update 03 April 2015

 

TOP