Home / malware

PDF

Trojan.Wifaper

First posted on 14 March 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Wifaper.

Explanation :

When the Trojan is executed, it may copy itself to the following locations:
%Windir%\winlogon.exe%SystemDrive%\ProgramData\iexplore.exe %SystemDrive%\Documents and Settings\All Users\Application Data\svchost.exe
The Trojan may create the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Explorer = "%Windir%\winlogon.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SERVER = "%SystemDrive%\ProgramData\iexplore.exe "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SERVER = "%SystemDrive%\ProgramData\iexplore.exe "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SERVER = "%SystemDrive%\ProgramData\iexplore.exe "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SERVER = "%SystemDrive%\ProgramData\iexplore.exe "
The Trojan may open a back door, and connect to one of the following locations:
microsofta.byinter.netmicrosoftb.byinter.netwww.consilium.dnset.comwww.consilium.dynssl.com
The Trojan may perform the following actions:
Create a mutex named [RANDOM ASCII NUMBERS]{8}Perform an HTTP tunnel to bypass firewalls or internal security protectionsRestart the computerLog the user off of the computerObtain system informationCheck if the current user has set a proxy for Internet ExplorerDownload and execute potentially malicious files

Last update 14 March 2015

 

TOP