Home / malware TrojanDropper:O97M/Farheyt.A
First posted on 06 November 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanDropper:O97M/Farheyt.A.
Explanation :
Threat behavior
Installation
This threat is a malicious macro that can arrive on your PC as a rich text file (RTF) attached to a spam email. We have seen this threat using the following file names:
- %TEMP%\<3 digit number>.rtf for example, 300.rtf
- %TEMP%\<3 digit number +1 from the first one>.rtf for example, 301.rtf
The file asks you to enable macros on your PC, as shown in the example below:
Microsoft Office should show you a security notification to ask whether you want to enable macros when you open the attachment. If you enable macros, the threat will run.
We have also seen this threat drop variants of PWS:Win32/Fareit and TrojanDownloader:Win32/Upatre.
Payload
We have seen this threat install other malware onto your PC, including VirTool:Win32/Injector.GE.
Analysis by Vince Tiu, Patrick Estavillo, and Jireh Sanico
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- %TEMP%\<3 digit number>.rtf for example, 300.rtf
- %TEMP%\<3digit number +1 from the first one>.rtf for example, 301.rtf
Last update 06 November 2015
