Home / malware Trojan:Win64/Ampskerk.A!dha
First posted on 28 January 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win64/Ampskerk.A!dha.
Explanation :
Threat behavior
Installation
This threat tries to bypass Windows Kerberos-based and NTLM (NT LAN Manager) authentication of accounts on an infected domain controller.
It only affects domain controllers with the following 64-bit Windows operating systems:
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
We have seen it use the following file names:
- msuta64.dll
- ole64.dll
Payload
Accesses domain accounts
This threat targets compromised domain controllers. It can give a malicious hacker access to use a backdoor password (skeleton key) to access any account in the domain, where single-factor authentication (password only) is used.
Analysis by Chun Feng
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- msuta64.dll
- ole64.dll
Last update 28 January 2015
