Win32/Poxters [Threat Name] go to Threat

Win32/Poxters.E [Threat Variant Name]

Category trojan
Size 133726 B
Detection created Apr 02, 2014
Detection database version 10033
Aliases Trojan.Win32.Crypt.czz (Kaspersky)
  Trojan.Inject1.48097 (Dr.Web)
  Trojan:Win32/Yakad.A!gfc (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%\­%variable%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%uuid%" = "%appdata%\­%variable%\­%variable%.exe"
  • [HKEY_USERS\­.DEFAULT\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%uuid%" = "%appdata%\­%variable%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%uuid%" = "%appdata%\­%variable%\­%variable%.exe"

A string with variable content is used instead of %variable%, %uuid% .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Resilience Software]
    • "Digit" = "%uuid%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "LowRiskFileTypes" = ".exe; .bat; .reg; .vbs;"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1806" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1806" = 0

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects various sensitive information.


The trojan collects the following information:

  • user name
  • computer name
  • operating system version
  • list of running processes

The trojan searches memory of running processes and tries to find following information:

  • credit card information

It avoids processes which contain any of the following strings in their path:

  • svchost.exe
  • iexplore.exe
  • explorer.exe
  • System
  • smss.exe
  • csrss.exe
  • winlogon.exe
  • lsass.exe
  • spoolsv.exe
  • alg.exe
  • wuauclt.exe

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • remove itself from the infected computer
  • send gathered information

The trojan may create the following folders:

  • %internetcache%\­%variable1%\­
  • %appdata%\­%variable2%\­

The following files may be dropped:

  • %internetcache%\­%variable1%\­%variable1%.exe
  • %appdata%\­%variable2%\­%variable2%.exe
  • %temp%\­%variable3%.tmp\­ineligibility.dll
  • %appdata%\­ineligibility.mxp

A string with variable content is used instead of %variable1-3% .


The trojan may execute the following files:

  • %programfiles%\­Internet Explorer\­iexplore.exe
  • %programfilesx86%\­Internet Explorer\­iexplore.exe
  • %internetcache%\­%variable1%\­%variable1%.exe
  • %appdata%\­%variable2%\­%variable2%.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • iexplore.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.