Home / malware Trojan.Dokabot
First posted on 12 June 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Dokabot.
Explanation :
When the Trojan is executed, it copies itself to the following locations:
%UserProfile%\crss.exe%UserProfile%\Documents\crss.exe%UserProfile%\Downloads\crss.exe
The Trojan may create the following registry keys so that it run whenever the computer is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Document Explorer2 = %UserProfile%\Documents\crss.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Download Manager2 = %UserProfile%\Downloads\crss.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Profile Manager2 = %UserProfile%\crss.exe
The Trojan opens a back door on the compromised computer and connects to a URL chosen by the attacker.
Note: The Trojan allows attackers to enter any URL for the Trojan to connect to.
The Trojan may download potentially malicious files.Last update 12 June 2015
