Home / malwarePDF  

W32.Difobot


First posted on 13 October 2015.
Source: Symantec

Aliases :

There are no other names known for W32.Difobot.

Explanation :

When the worm is executed, it copies itself to the following locations: %UserProfile%\Application Data\svchost.exe%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\WordPad.exe
Note: The worm also copies itself to the user-chosen Dropbox folder location after reading the host.db Dropbox file.


The worm creates the following files: %UserProfile%\Application Data\ky.config%UserProfile%\Application Data\logger.p%UserProfile%\Application Data\Elog.log%UserProfile%\Application Data\Flog.log%UserProfile%\Application Data\grabbed.log
The worm creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UACDisableNotify" = "0"
The worm connects to the following command-and-control server to upload stolen logs and receive commands: freexbl.co
The worm may then perform the following actions: Update itselfEnable and disable User Account Control (UAC)Check OS versionDetects the presence of virtual machines (VM) and sandboxesDetects installations of security software such as antivirus
Capture screenshotsSteal Bitcoin walletLog keystrokes

The worm may attempt to spread using one of the following methods:
Spread through connected USB devices
Spread through Dropbox

Last update 13 October 2015

 

TOP