Win32/Olmarik [Threat Name] go to Threat

Win32/Olmarik.AGF [Threat Variant Name]

Available cleaner [Download Olmarik / Olmasco Cleaner ]

Category trojan
Size 129024 B
Detection created Oct 25, 2010
Signature database version 5562
Aliases Trojan:Win32/Alureon.DX (Microsoft)
  Generic.Dropper.va.gen.b (McAfee)
  Win32:Alureon-KA (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­%variable%.tmp

A string with variable content is used instead of %variable% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • spoolsv.exe

Win32/Olmarik.AGF replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • keywords entered into search engines
  • operating system version

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (12) URLs.


The HTTP, HTTPS protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan can delete cookies.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "svchost.exe" = 8888
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "MaxHttpRedirects" = 8888
    • "EnableHttp1_1" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones]
    • "CurrentLevel" = 0
    • "1601" = 0
    • "1400" = 0

The trojan may perform operating system restart.


The trojan can write its own data to the end of the physical drive.

Please enable Javascript to ensure correct displaying of this content and refresh this page.