Home / malwarePDF  

Downloader.Domar


First posted on 16 September 2015.
Source: Symantec

Aliases :

There are no other names known for Downloader.Domar.

Explanation :

When the Trojan arrives on the compromised computer, it downloads the following file:
%ProgramFiles%\AppPatch\
The Trojan may connect to one of the following remote locations:
[http://]115.28.146.63/[REMOVED][http://]m1.yea.im/1ZU[REMOVED][http://]157.7.109.126/Consys[REMOVED]
The Trojan downloads a malicious file to one the following locations:
%ProgramFiles%\[RANDOM NUMBER].dll%ProgramFiles%\mysqld.dll%ProgramFiles%\NetSyst[ONE OR TWO RANDOM NUMBERS].dll
The downloaded file is deobfuscated by the Trojan, copied into memory, and executed.

If the download is successful or if the file has already been downloaded, the Trojan copies itself to the following location and deletes itself:
%ProgramFiles%\Microsoft [RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
The Trojan creates a service, with a name consisting of random characters, so that it will run at start-up.

Last update 16 September 2015

 

TOP