Home / malware Trojan.Emysair
First posted on 22 December 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Emysair.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\LocalData\ishelp.dll%AppData%\75BD50EC.dat%Temp%\000A758C8FEAE5F.tmp
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SystemDrive" = "rundll32.exe %UserProfile%\Application Data\LocalData\ishelp.dll"
Next, the Trojan opens a back door on the compromised computer and connects to one or more of the following remote locations:
[http://]ustar5.PassAs.us/defaul[REMOVED][http://]203.124.14.229/defaul[REMOVED][http://]dnt5b.myfw.us/defaul[REMOVED]
The Trojan may then perform the following actions:
Download, upload, and execute filesCreate a remote shellExecute commands defined by the attackerLast update 22 December 2015
