Home / malware Trojan:Win32/Glecia.gen!A
First posted on 20 July 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Glecia.gen!A.
Explanation :
Trojan:Win32/Glecia.gen!A is a generic detection for a trojan that installs a Browser Helper Object (BHO) designed to allow backdoor access and control to the compromised system. It may arrive as a spammed e-mail message pretending to be an invoice. InstallationOnce executed, Trojan:Win32/Glecia.gen!A drops the following files in the Windows system folder, both of which are detected as Trojan:Win32/Glecia.gen!A: sys.dat gqcsbmzkr.dll It also drops the file 'sys.bat' in the current folder, which deletes its currently-running copy once it has conducted its malicious routines. Trojan:Win32/Glecia.gen!A then installs its dropped file as a malicious Browser Helper Object (BHO) named 'Microsoft Online Helper!' by creating the following registry entries: Adds value: "(default)"
With data: "Microsoft online helper!"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{506D1048-1B7F-4DA7-95D1-2683E4A8E4EC} Adds value: "(default)"
With data: "Microsoft online helper!"
To subkey: HKLMSOFTWAREClassesCLSID{506D1048-1B7F-4DA7-95D1-2683E4A8E4EC} Adds value: "(default)"
With data: "%systemroot%system32gqcsbmzkr.dll"
To subkey: HKLMSOFTWAREClassesCLSID{506D1048-1B7F-4DA7-95D1-2683E4A8E4EC}InProcServer32 Payload Connects to a remote Web siteThe BHO installed by Trojan:Win32/Glecia.gen!A connects to the Web site 'davidbredov.ru', which may allow a remote attacker to access and perform certain actions on the compromised system. It may be commanded to perform actions such as the following: Send system information Open a given URL Execute files Delete all files from the root, Windows, and Program Files folders Analysis by Jireh SanicoLast update 20 July 2019