Home / malware TrojanDownloader:Win32/Onkods
First posted on 08 May 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Onkods.
Explanation :
Threat behavior
TrojanDownloader:Win32/Onkods is a small executable, usually between 6kB and 25kB in size, that downloads and runs other malware.
We have seen it distributed with the file name IMG<10 digits>-JPG.scr, for example IMG1337019400-JPG.scr.
When run, TrojanDownloader:Win32/Onkods contacts a server, from which it can download other malware files. The file is saved to either %TEMP%, or the directory where Win32/Onkods is running from.
It then runs the downloaded file.
Examples of servers contacted by Win32/Onkods include:
- 86.34.240.21
- 91.211.244.93
- 91.236.254.195
- api.wipmania.com
- bbiz.su
- bothaus.su
- filebox.su
- filesrv.ru
- news.adsabout.ir
- ohi.su
We have seen Win32/Onkods downloading the following malware families:
- Win32/Crowti
- Win32/Miuref
- Win32/Phorpiex
- Win32/Sourtoff
- Win32/Winwebsec
Analysis by David Wood
Symptoms
The following could indicate that you have this threat on your PC:
- You have this file:
IMG<10 digits>-JPG.scrLast update 08 May 2014
