Win32/Fatoos [Threat Name] go to Threat

Win32/Fatoos.A [Threat Variant Name]

Category trojan
Size 14848 B
Detection created Dec 02, 2004
Detection database version 1937
Aliases Trojan.Win32.Fatoos.a (Kaspersky)
  Trojan:Win32/Startpage.gen!A (Microsoft)
  Downloader (Symantec)
Short description

Win32/Fatoos.A is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­svcsys.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSSVC" = "%system%\­svcsys.exe 8192"

The trojan changes the home page of the following web browsers:

  • Microsoft Internet Explorer

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://i-search.us/"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­FastWebTools]
  • [HKEY_CURRENT_USER\­Software\­FastWebTools\­Commands]
  • [HKEY_CURRENT_USER\­Software\­FastWebTools\­ETrans]
  • [HKEY_CURRENT_USER\­Software\­FastWebTools\­Squad]
    • "PU" = "PU"
Other information

The trojan contains an URL address. It tries to download a file from the address.


The file is stored in the following location:

  • C:\­msdvx.exe

The file is then executed. The HTTP protocol is used.


The trojan may delete the following files:

  • C:\­msdvx.exe
  • C:\­istart.exe
  • C:\­x.exe
  • C:\­y.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.