Home / malware Trojan.Blueso
First posted on 16 August 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Blueso.
Explanation :
The Trojan arrives on the computer as a self-extracting archive file.
When the Trojan is executed, it creates the following files: %UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS].exe %UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS FILE NAME ONE].[THREE RANDOM LETTERS]%UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS FILE NAME TWO].[THREE RANDOM LETTERS]%UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS FILE NAME THREE].[THREE RANDOM LETTERS]%UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS FILE NAME FOUR].[THREE RANDOM LETTERS]%UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS FILE NAME FIVE].[THREE RANDOM LETTERS]
Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"[RANDOM LETTERS AND NUMBERS]" = "%UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS FILE NAME FIVE].[THREE RANDOM LETTERS]"
The Trojan then executes %UserProfile%\[RANDOM LETTERS AND NUMBERS]/[RANDOM LETTERS].exe to run a malicious AutoIt script. This script injects the following threat into Internet Explorer:
W32.SpyratLast update 16 August 2014