Home / malware Downloader.Bouncedoc
First posted on 15 May 2015.
Source: SymantecAliases :
There are no other names known for Downloader.Bouncedoc.
Explanation :
The Trojan may be manually installed on the affected computer.
When the Trojan is executed, it creates the following file: %System%\V3Medic.exe
Next, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\"Version" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\[RANDOM CSLID]\"stubpath" = "%System%\V3Medic.exe"
The Trojan then checks the OS version of the compromised computer. If the computer runs Windows 8, then the Trojan connects to the following remote locations: [http://]blog.sina.com.cn/s/blog_b05fc39e[REMOVED][http://]hi.baidu.com/poialw/item/5fe46b2f5d[REMOVED][http://]hi.baidu.com/lokisqq/item/328cda6595[REMOVED][http://]www.ins2060.com/images/main_h[REMOVED]
If the computer runs any other version of Windows, the Trojan connects to the following remote locations: [http://]blog.sina.com.cn/s/blog_af5f75a3[REMOVED][http://]hi.baidu.com/opaoxf1/item/b46b81a134[REMOVED][http://]hi.baidu.com/opaoxf2/item/6cb9d3a0b1[REMOVED][http://]www.ins2060.com/images/main_h[REMOVED]
The Trojan then downloads specific web pages from these sites and extracts and decrypts data from them. If the Trojan successfully decrypts the data, then it may obtain a URL from which to download malicious files.Last update 15 May 2015