Home / malwarePDF  

TrojanDropper:MSIL/Toauta.A


First posted on 29 April 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDropper:MSIL/Toauta.A.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • %TEMP%\chrome.exe
  • %TEMP%\yqfsmhykbvo1bntx8zro.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "e79d569ba77562f0d4316e586835f0a2"
With data: ""%TEMP%\chrome.exe" .."
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "e79d569ba77562f0d4316e586835f0a2"
With data: ""%TEMP%\chrome.exe" .."


Payload


Installs malware or unwanted software

This trojan can install other malware or unwanted software onto your PC.



Bypasses firewall



This threat tries to bypass your firewall by modifying the registry. For example:

HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy

You might need to restore your Windows Firewall settings.



Additional information

Creates a mutex

This threat can create a mutex on your PC. For example:

  • e79d569ba77562f0d4316e586835f0a2


It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.



This malware description was published using automated analysis of file SHA1 508a5f80a6a8bffa8728434e014b653d00c23861.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • %TEMP%\chrome.exe
    • %TEMP%\yqfsmhykbvo1bntx8zro.exe
  • You see registry modifications such as:
    • In subkey: HKCU\software\microsoft\windows\currentversion\run
      Sets value: "e79d569ba77562f0d4316e586835f0a2"
      With data: ""%TEMP%\chrome.exe" .."

    • In subkey: HKLM\software\microsoft\windows\currentversion\run
      Sets value: "e79d569ba77562f0d4316e586835f0a2"
      With data: ""%TEMP%\chrome.exe" .."

    • In subkey: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
      Sets value: "%TEMP%\Chrome.exe"
      With data: "%TEMP%\chrome.exe:*:enabled:chrome.exe"

  • You see the following mutex:
    • e79d569ba77562f0d4316e586835f0a2

Last update 29 April 2015

 

TOP

Malware :

Family: