Home / malware Infostealer.Rodagose
First posted on 09 December 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Rodagose.
Explanation :
Once executed, the Trojan creates the following files:
%Windir%\ctfmonm.dll%Windir%\roodgoose
It then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dispraisers" = "regsvr32 "C:\WINDOWS\ctfmonm.dll" /s"
The Trojan also creates the following event on the compromised computer:
Global\4nZJFQQ
The Trojan then steals files from the compromised computer and sends them to the following account hosted with a legitimate cloud storage service provider:
http://webdav.cloudme.com/[ACCOUNT NAME]/CloudDrive
Note: Where [ACCOUNT NAME] is the user name the attacker used to set up the account. Examples of account names used include the following:
browner8674935daw0996Last update 09 December 2014