Win32/Otlard [Threat Name] go to Threat

Win32/Otlard.A [Threat Variant Name]

Category trojan
Size 19420 B
Detection created Jul 03, 2009
Detection database version 4212
Aliases Backdoor.Win32.IEbooot.brr (Kaspersky)
  TrojanDropper:Win32/Otlard.A (Microsoft)
  W32/Backdoor2.ETQO (F-Secure)
Short description

Win32/Otlard.A installs a backdoor that can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The following file is dropped into the %system%\drivers\ folder:

  • %variable%.sys (17376 B)

Installs the following system drivers (path, name):

  • %system%\­drivers\­%variable%.sys, %variable%

A string with variable content is used instead of %variable% .


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of 6 URLs. It tries to download several files from the addresses. The HTTP protocol is used.


The files are then executed.


The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM]
    • "Randseed_1" = %hex_value%
    • "Randseed_2" = %hex_value%

A string with variable content is used instead of %hex_value% .


Please enable Javascript to ensure correct displaying of this content and refresh this page.