Home / malware Trojan:Win32/Fmoratk.A
First posted on 21 November 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Fmoratk.A.
Explanation :
Threat behavior
Installation
Fmoratk.A copies itself in your PC as:
- %windir% \svohost.exe
It creates the following registry entry so that its copy automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "format"
With data: "%windir%\svohost.exe"
It also adds this registry entry as an infection marker:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "format"
With data: "5"
Payload
Fmoratk.A creates these batch files that can be used by other malware to "quick format" (format without user interaction) a particular drive from D to I:
- %TEMP% \d.bat
- %TEMP% \e.bat
- %TEMP% \f.bat
- %TEMP% \g.bat
- %TEMP% \h.bat
- %TEMP% \i.bat
If run, these batch files reformat the indicated drive and might result in you losing all the data stored in those drives.
Analysis by Daniel Radu
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
- %TEMP%\d.bat
- %TEMP%\e.bat
- %TEMP%\f.bat
- %TEMP%\g.bat
- %TEMP%\h.bat
- %TEMP%\i.bat
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "format"
With data: "%windir%\svohost.exe"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "format"
With data: "5"
Last update 21 November 2013
