Home / malware Trojan.Yorasa
First posted on 05 June 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Yorasa.
Explanation :
When the Trojan is executed, it creates the following files: %Temp%\[FOUR RANDOM CHARACTERS]_appcompat.txt%UserProfile%\Application Data\servhost.exe%Temp%\[FIVE RANDOM CHARACTERS].dmp
Next, the Trojan creates the following registry subkeys: HKEY_CURRENT_USER\Software\Microsoft\Soraya2HKEY_CURRENT_USER\Software\Microsoft\S7W2@
The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinServHost" = "%UserProfile%\Application Data\servhost.exe"
Next, the Trojan connects to the following remote location:
blog.wordpress-catalog.com
The Trojan may then perform the following actions: Steal information such as credit card numbers and login credentialsSend information to a remote locationDownload and run additional malwareUninstall itself from the compromised computerLast update 05 June 2014
