Dr.Web – Trojan.Winlock.7372

Posted: November 16, 2012 in IT Security News, Vulnerability News
Tags: , ,

Malware Trojan HorseVirus: Trojan.Winlock.7372

Added to the virus database Dr.Web: 2012-11-14
Inserted 11/14/2012

Technical information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM> \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] ‘Microsoft Updater’ = ‘”<full path to the virus>”‘

Malicious functions:

To bypass the firewall removes or modifies the following registry keys:

[<HKLM> \ SYSTEM \ ControlSet001 \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile] ‘EnableFirewall’ = ‘00000000 ‘

Terminates or attempts to complete

The following user processes:

firefox.exe
opera.exe
iexplore.exe
chrome.exe

Changes in the file system:

Creates the following files:

% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ getunlock [1]. Php
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ KHMHGZ4F \ picture [1]. Php

Delete the following files:

% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ getunlock [1]. Php

Network activity:

Connects to:

‘5. # # # .24.156 ‘: 80
‘localhost’: 1036

TCP:

Requests HTTP GET:

5. # # # .24.156/adm5/getunlock.php
5. # # # .24.156/ad

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s