Home / malwarePDF  

Downloader.Verpow


First posted on 11 November 2014.
Source: Symantec

Aliases :

There are no other names known for Downloader.Verpow.

Explanation :

When the Trojan is executed, it creates the following file:
%AllUsersProfile%\Application Data\Microsoft\%CLSID%\%CLSID%.exe
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableSR" = dword:00000001HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableConfig" = dword:00000001HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\".Default" = dword:00000001HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"%CLSID%" = "%AllUsersProfile%\Application Data\Microsoft\%CLSID%\%CLSID%.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"%CLSID%" = "%AllUsersProfile%\Application Data\Microsoft\%CLSID%\%CLSID%.exe"HKEY_LOCAL_MACHINE\SOFTWARE\708885D2\"5" = [RANDOM STRING]HKEY_LOCAL_MACHINE\SOFTWARE\708885D2\"4" = [RANDOM STRING]HKEY_LOCAL_MACHINE\SOFTWARE\708885D2\"3" = [RANDOM STRING]HKEY_LOCAL_MACHINE\SOFTWARE\708885D2\"2" = [RANDOM STRING]HKEY_LOCAL_MACHINE\SOFTWARE\708885D2\"1" = "%AllUsersProfile%\Application Data\Microsoft\%CLSID%\%CLSID%.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"GlobalUserOffline" = dword:00000000HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"svchost.exe" = dword:00000000HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"explorer.exe" = dword:00000000HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\"svchost.exe" = dword:00000001HKEY_CURRENT_USER\Software\708885D2\"5" = [RANDOM STRING]HKEY_CURRENT_USER\Software\708885D2\"4" = [RANDOM STRING]HKEY_CURRENT_USER\Software\708885D2\"3" = [RANDOM STRING]HKEY_CURRENT_USER\Software\708885D2\"2" = [RANDOM STRING]HKEY_CURRENT_USER\Software\708885D2\"1" = "%AllUsersProfile%\Application Data\Microsoft\%CLSID%\%CLSID%.exe"
The Trojan deletes the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\@ = "Mouse"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\@ = "Keyboard"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\@ = "CD-ROM Drive"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys\@ = "Driver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys\@ = "Driver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay\@ = "Service"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\"SaferFlags" = dword:00000000HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\"LastModified" = hex(b):1a,e4,23,37,ee,bd,cb,01HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\"ItemData" = expand:"%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\"Description" = ""
The Trojan modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2300" = dword:00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1809" = dword:00000003HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1601" = dword:00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1206" = dword:00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2300" = dword:00000000
The Trojan injects malicious code into the following process:
svchost.exe
The Trojan may stop functioning if any of the following processes are found running:
avp.exeBullGuard.exea2service.exeop_mon.execmdagent.exeavcom.exedwengine.exejpf.exeoaui.exe
The Trojan may send the following information to [http://]dms-qvr.pw/form[REMOVED]:
OS languageOS versionTime zone
The Trojan may communicate with the following servers to download additional malware:
[http://]a7-helium.biz/10/form[REMOVED][http://]a8-nitrogen.biz/10/form[REMOVED][http://]b7-golfix.org/10/form[REMOVED][http://]b8-incfix.org/10/form[REMOVED]
The Trojan may perform the following actions:
Display advertisementsIssue mouse clicks

Last update 11 November 2014

 

TOP

Malware :