Dr.Web – Trojan.Winlock.7372 | MALWARELIST.net - Your Information Security Source

Dr.Web – Trojan.Winlock.7372

Posted: November 16, 2012 in IT Security News, Vulnerability News
Tags: Dr.Web, Trojan Horse, Trojan.Winlock.7372

Virus: Trojan.Winlock.7372

Added to the virus database Dr.Web: 2012-11-14
Inserted 11/14/2012

Technical information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM> \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] ‘Microsoft Updater’ = ‘”<full path to the virus>”‘

Malicious functions:

To bypass the firewall removes or modifies the following registry keys:

[<HKLM> \ SYSTEM \ ControlSet001 \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile] ‘EnableFirewall’ = ‘00000000 ‘

Terminates or attempts to complete

The following user processes:

firefox.exe
opera.exe
iexplore.exe
chrome.exe

Changes in the file system:

Creates the following files:

% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ getunlock [1]. Php
% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ KHMHGZ4F \ picture [1]. Php

Delete the following files:

% HOMEPATH% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ U98D4X8H \ getunlock [1]. Php

Network activity:

Connects to:

‘5. # # # .24.156 ‘: 80
‘localhost’: 1036

TCP:

Requests HTTP GET:

5. # # # .24.156/adm5/getunlock.php
5. # # # .24.156/ad

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

MALWARELIST.net – Your Information Security Source

Security Solutions Deals

Follow Blog via Email

Top 5 Best Blog Posts

Categories

Find us on Facebook