MSIL/Troob [Threat Name] go to Threat

MSIL/Troob.AA [Threat Variant Name]

Category trojan
Size 87552 B
Detection created Jan 26, 2014
Detection database version 10033
Aliases TR/Rogue.1570406 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Beta\­cloud.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Cloud Net - Beta" = "%appdata%\­Beta\­cloud.exe"
Information stealing

MSIL/Troob.AA is a trojan that steals sensitive information.


The trojan collects the following information:

  • country
  • computer IP address
  • computer name
  • user name
  • operating system version

The trojan is able to log keystrokes.


The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP, HTTP protocol is used.


It can execute the following operations:

  • uninstall itself
  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • create folders
  • delete folders
  • move files
  • delete files
  • send requested files
  • execute shell commands
  • capture screenshots
  • capture webcam video/voice
  • simulate user's input (clicks, taps)
  • open a specific URL address
  • send the list of running processes to a remote computer
  • terminate running processes
  • block access to specific websites
  • perform DoS/DDoS attacks

The trojan can be used to gain full access to the compromised computer.


Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.