Home / malware Trojan.Filurkes.B
First posted on 31 January 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Filurkes.B.
Explanation :
When the Trojan is executed, it creates one of the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\man.dll%SystemDrive%\Documents and Settings\All Users\Application Data\fc.dll%SystemDrive%\Documents and Settings\All Users\Application Data\vw.dll%SystemDrive%\Documents and Settings\All Users\Application Data\wapi.dll%SystemDrive%\Documents and Settings\All Users\Application Data\setup.dll%SystemDrive%\Documents and Settings\All Users\Application Data\env.dll%SystemDrive%\Documents and Settings\All Users\Application Data\p10.dll%SystemDrive%\Documents and Settings\All Users\Application Data\theme.dll%SystemDrive%\Documents and Settings\All Users\Application Data\http.dll%SystemDrive%\Documents and Settings\All Users\Application Data\mm.dll%SystemDrive%\Documents and Settings\All Users\Application Data\pool.drv%SystemDrive%\Documents and Settings\All Users\Application Data\sta.dll%SystemDrive%\Documents and Settings\All Users\Application Data\core.dll%SystemDrive%\Documents and Settings\All Users\Application Data\mi.dll%SystemDrive%\Documents and Settings\All Users\Application Data\dlg.dll%SystemDrive%\Documents and Settings\All Users\Application Data\in_32.dll%SystemDrive%\Documents and Settings\All Users\Application Data\el32.dll%SystemDrive%\Documents and Settings\All Users\Application Data\ER32.DLL %SystemDrive%\Documents and Settings\All Users\Application Data\help.dll %SystemDrive%\Documents and Settings\All Users\Application Data\API32.DLL
The Trojan then creates one of the following data files: %SystemDrive%\Documents and Settings\All Users\Application Data\ddd2.dat%SystemDrive%\Documents and Settings\All Users\Application Data\pdk2.dat%SystemDrive%\Documents and Settings\All Users\Application Data\km48.dat%SystemDrive%\Documents and Settings\All Users\Application Data\9llq.dat%SystemDrive%\Documents and Settings\All Users\Application Data\ddqq.dat%SystemDrive%\Documents and Settings\All Users\Application Data\834r.dat%SystemDrive%\Documents and Settings\All Users\Application Data\gi4q.dat%SystemDrive%\Documents and Settings\All Users\Application Data\wu3w.dat%SystemDrive%\Documents and Settings\All Users\Application Data\qq34.dat%SystemDrive%\Documents and Settings\All Users\Application Data\dqd6.dat%SystemDrive%\Documents and Settings\All Users\Application Data\w4ff.dat%SystemDrive%\Documents and Settings\All Users\Application Data\ok4l.dat%SystemDrive%\Documents and Settings\All Users\Application Data\kfii.dat%SystemDrive%\Documents and Settings\All Users\Application Data\ie31.dat%SystemDrive%\Documents and Settings\All Users\Application Data\4433.dat
Next, the Trojan creates the following registry entries: HKEY_CURRENT_USER\Software\Classes\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887}\"InProcServer32" = "[PATH TO DLL FILE]"HKEY_CURRENT_USER\Software\Classes\Drive\ShellEx\FolderExtensions\{118BEDCC-A901-4203-B4F2-ADCB957D1887}\"DriveMask" = "0xffffffff"HKEY_CURRENT_USER\Software\Classes\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887}\InProcServer32\"ThreadingModel" = "Apartment"
The Trojan then connects to the following remote location: peltry77relay.com
The Trojan may then download additional malwareLast update 31 January 2015