Win32/Elsentric [Threat Name] go to Threat

Win32/Elsentric.A [Threat Variant Name]

Category trojan
Size 252040 B
Detection created Jan 17, 2014
Detection database version 10448
Aliases Trojan-Dropper.Win32.Agent.jlhe (Kaspersky)
  Trojan:Win32/Sisproc (Microsoft)
  Trojan.Dropper (Symantec)
Short description

Win32/Elsentric.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %temp%\­iexplore.bat (113955 B, Win32/Elsentric.A)
  • %temp%\­document.pdf (94481 B)
  • %templates%\­wincex.dll (36939 B, Win32/Elsentric.A)

The trojan may create the following files:

  • %templates%\­iexplore.exe (16421 B)

The trojan registers itself as a system service using the following name:

  • WmdmPMM

This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "lssvcs" = "WmdmPMM"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­WmdmPMM]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­WmdmPMM\­Parameters]
    • "ServiceMain" = "ESEntry"
    • "ServiceDll" = "%templates%\­wincex.dll"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "iexplore" = "%templates%\­iexplore.exe"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Elsentric.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • MAC address
  • computer IP address
  • list of computer users
  • list of shared folders
  • list of running processes
  • list of running services
  • information about the operating system and system settings
  • CPU information
  • memory status

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send open TCP and UDP port numbers to a remote computer
  • run executable files
  • send gathered information

The trojan keeps various information in the following files:

  • %temp%\­000ELISEA310.TMP
  • %templates%\­1A0E621SV.CAB

Please enable Javascript to ensure correct displaying of this content and refresh this page.