Home / malware Trojan.Glupteba
First posted on 22 September 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Glupteba.
Explanation :
When executed, the Trojan drops the following files: %UserProfile%\Local Settings\Application Data\NVIDIA Corporation\Updates\NvdUpd.exe%UserProfile%\Local Settings\Application Data\NVIDIA Corporation\Updates\NvdUpd.exe.bak
The Trojan then creates the following registry entries: HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdSrv\"value" = "[GENERIC NUMBER]"HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdSrv\"GUID" = "[GENERIC GUID]"
Next, the Trojan creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"NvUpdSrv" = "%UserProfile%\Local Settings\Application Data\NVIDIA Corporation\Updates\NvdUpd.exe"
The Trojan then creates the following mutex to mark its presence in the computer: Global\MD7H82HHF7EH2D73
Next, the Trojan downloads and executes files on the compromised computer.Last update 22 September 2015