Subscribe
The trojan copies itself at locations like "%FOLDER_1%\%FOLDER_2%\%TROJAN_NAME%" where
%FOLDER_1% is one of following: Windows, Program Files, My Documents
%FOLDER_2%: Oracle, Symantec, Adobe, Microsoft, Microsoft.NET, Drivers, WinSxS ,Tasks, system32, system, symbols, security, Fonts, assembly, AppPatch
the Trojan will modify a character from above names to a look-like non-ascii character
%TROJAN_NAME%: randomly chosen from list:
regsvr32, regedit, tracert,nslookup, mshta, nopdb, winword, ati2evxx, spool32, msconfig, userinit, netdde, scanregw, wucrtupd, wuauboot, wuauclt, wuaclt, rundll,dexplore,iexplore, notepad, msdtc, javaw, ntvdm, wowexec, winspool, taskmgr, rundll32, msiexec, logonui, dvdplay, dllhost, chkdsk, chkntfs, attrib, winlogon, spoolsv, services, lsass, csrss, svchost, explorer
In order to execute itself at each system startup, the following registri key is created
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Otla"="\"%PATH_TO_TROJAN%" -vt ndrv" where %PATH_TO_TROJAN% is the path to the copy above created
Tries to download in %TEMP% directory a file named
Open Registry Editor (Start,Run and type
Presence in start-up registry key
HKCU\Software\Microsoft\Windows\CurentVersion\Run of the field "Otla"
which contains "%PATH_TO_TROJAN\%TROJAN_NAME% -vt ndrv"
Presence on hard-disk of a hidden file found at the path %PATH_TO_TROJAN% contained in registry key above mentioned
Attempt to download from "http://outerinfo.net/" a file "ctxad.exe"
Presence of a registry key HKCU\Software\Baoa with two fields "Cnae" and "Dpoo"
Hot Articles