Home / malware TrojanSpy:Win32/Fucobha.A
First posted on 26 October 2011.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Fucobha.A is also known as Trojan/Win32/Dllbot (AhnLab), Trojan-Downloader.Win32.Agent.tenl (Kaspersky), Mal/Proxy-B (Sophos), TSPY_FUCOBHA.WR (Trend Micro).
Explanation :
TrojanSpy:Win32/Fucobha.A is a trojan that could download arbitrary files, upload files and send details about the affected computer to a remote server named "cloudsbit.com".
Top
TrojanSpy:Win32/Fucobha.A is a trojan that could download arbitrary files, upload files and send details about the affected computer to a remote server named "cloudsbit.com".
Installation
This malware is installed by a dropper, also identified as TrojanSpy:Win32/Fucobha.A, and is present as the following file:
- %windir%\wdmaud.drv
When executed, this trojan launches the Windows shell "explorer.exe" and injects "wdmaud.drv" into the launched process and the initial dropper is deleted. When active, the trojan verifies that it is loaded by the process "explorer" and if true, it creates a mutex named "myhorsemutex" or "my_horse_mutex_jd2_new".
Payload
Communicates with a remote server/performs file transfers
TrojanSpy:Win32/Fucobha.A sends the following information about the affected computer to a remote server named "cloudsbit.com":
- Host name
- IP address
- Proxy details
- User account details
- Windows system directory details
- Operating system language
- Windows version
- Process ID (PID) of the trojan process
Some versions of this malware may steal logon credentials from certain applications including email applications. The trojan could receive commands from the remote server that instruct the malware to perform the following actions:
- Download arbitrary files using a user-agent named "mydownload"
- Upload files using a user-agent named "MyAgent"
- Execute arbitrary files via a command prompt and redirect the output to a specified file
When commands are successfully executed, the trojan sends a confirmation message and a results message to the remote server.
Analysis by Daniel Chipiristeanu
Last update 26 October 2011
