Win32/Olmarik [Threat Name] go to Threat

Win32/Olmarik.XG [Threat Variant Name]

Available cleaner [Download Olmarik / Olmasco Cleaner ]

Category trojan
Size 89600 B
Detection created Apr 12, 2010
Signature database version 5020
Aliases Trojan.Win32.Tdss.bage (Kaspersky)
  Trojan:Win32/Alureon.CT (Microsoft)
  DNSChanger.bf (McAfee)
Short description

The trojan contains a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%random1%.tmp (31232 B)
  • %temp%\­%random2%.tmp (89600 B)

A string with variable content is used instead of %random1-2% .


The following files are modified:

  • %system%\­drivers\­*.sys

It avoids files with the following filenames:

  • fvevol.sys
  • ksecdd.sys
  • win32k.sys
  • pci.sys

The modified file contains the original program code along with the program code of the infiltration.


The size of the inserted code is 396 B .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%random3%]
    • "ImagePath" = "%temp%\­%random1%.tmp"
    • "Type" = 1

A string with variable content is used instead of %random3% .


The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:

  • a list of recently visited URLs
  • operating system version

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (18) URLs. The HTTP, HTTPS protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "svchost.exe" = 8000
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "MaxHttpRedirects" = 8000
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "EnableHttp1_1" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "CurrentLevel" = 0
    • "1601" = 0
    • "1400" = 0

The trojan can write its own data to the end of the physical drive.

Please enable Javascript to ensure correct displaying of this content and refresh this page.