Win32/Flashbot [Threat Name] go to Threat

Win32/Flashbot.A [Threat Variant Name]

Category worm
Size 124416 B
Detection created May 29, 2012
Detection database version 7178
Aliases Trojan:Win32/Malagent (Microsoft)
  Variant.Strictor.2025 (BitDefender)
Short description

Win32/Flashbot.A is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .


The worm schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­%variable%.exe

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "FlashDrv" = "%appdata%\­%variable%.exe"

This causes the worm to be executed on every system start.

Spreading on removable media

The worm searches for files and folders in the root folders of removable drives.


The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.


The extension of the file is ".exe" .


When an infected file is executed, the original file is also run.

Other information

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­syscheck]
    • "Checked" = 1

The worm contains a list of (2) URLs.


It tries to download several files from the addresses.


The files are then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.