Home / malware Trojan.Hepbot
First posted on 13 June 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Hepbot.
Explanation :
When the Trojan is executed, it creates the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\gpresultl.exe%SystemDrive%\Documents and Settings\All Users\Application Data\en.lock%SystemDrive%\Documents and Settings\All Users\Application Data\log.err%SystemDrive%\Documents and Settings\All Users\Application Data\system.lho
Next, the Trojan creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"gpresultl" = "%SystemDrive%\Documents and Settings\All Users\Application Data\gpresultl.exe"
The Trojan then connects to a remote location which is determined through the malware's builder.
The Trojan may then perform the following actions: Open a back doorLog keystrokesSteal informationCapture screenshotsLast update 13 June 2015
