Win32/Olmasco [Threat Name] go to Threat

Win32/Olmasco.R [Threat Variant Name]

Available cleaner [Download Olmarik / Olmasco Cleaner ]

Category trojan
Size 974848 B
Detection created Aug 13, 2011
Signature database version 6374
Aliases Trojan.Win32.Agent.hvbj (Kaspersky)
  Trojan:Win32/Alureon.FE (Microsoft)
  DNSChanger.cq.b (McAfee)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.


When executed, the trojan creates the following files:

  • %temp%\­MRT.exe
  • %temp%\­%random%.tmp

Win32/Olmasco.R replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.

The trojan writes its own data to the end of the physical drive.

The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan hides its presence in the system.

It uses techniques common for rootkits.

The trojan contains both 32-bit and 64-bit program components.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan disables various security related applications.

The trojan may perform operating system restart.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (8) URLs. The HTTP protocol is used.

It can execute the following operations:

  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­IpFilterDriver]

The trojan attempts to delete the following files:

  • %system%\­drivers\­mbam.sys

Please enable Javascript to ensure correct displaying of this content and refresh this page.