Win32/Exploradoor [Threat Name] go to Threat

Win32/Exploradoor.A [Threat Variant Name]

Category worm
Size 90112 B
Detection created Nov 07, 2012
Detection database version 7670
Aliases Trojan.Win32.Scar.dgtv (Kaspersky)
  Backdoor:Win32/VB.MX (Microsoft)
  W32.Harakit (Symantec)
Short description

Win32/Exploradoor.A is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe %variable%.exe"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • ccc.exe

The following file is dropped in the same folder:

  • Autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains an URL address.


It tries to connect to remote machine to port:

  • 674  (TCP)

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • send files to a remote computer
  • open a specific URL address
  • send the list of running processes to a remote computer
  • send the list of files on specific drive to a remote computer
  • terminate running processes
  • move files
  • delete folders
  • delete files

The worm affects the behavior of the following applications:

  • Administrador de tareas de Windows

Please enable Javascript to ensure correct displaying of this content and refresh this page.