Win32/Olmarik [Threat Name] go to Threat
Win32/Olmarik.AGF [Threat Variant Name]
Available cleaner [Download Olmarik / Olmasco Cleaner ]
|Detection created||Oct 25, 2010|
|Signature database version||5562|
The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.
When executed, the trojan copies itself into the following location:
A string with variable content is used instead of %variable% .
The trojan creates and runs a new thread with its own program code within the following processes:
Win32/Olmarik.AGF replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.
After the installation is complete, the trojan deletes the original executable file.
The trojan collects the following information:
- keywords entered into search engines
- operating system version
The trojan can send the information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (12) URLs.
The HTTP, HTTPS protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The trojan can delete cookies.
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "svchost.exe" = 8888
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "MaxHttpRedirects" = 8888
- "EnableHttp1_1" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
- "CurrentLevel" = 0
- "1601" = 0
- "1400" = 0
The trojan may perform operating system restart.
The trojan can write its own data to the end of the physical drive.