Win32/Scieron [Threat Name] go to Threat

Win32/Scieron.U [Threat Variant Name]

Category trojan
Size 233984 B
Detection created Oct 02, 2014
Detection database version 10497
Aliases Luhe.Fiha.A (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates one of the following files:

  • %appdata%\­mshttps.dll (12288 B, Win32/Scieron.U)
  • %system%\­mshttps.dll (12288 B, Win32/Scieron.U)
  • %temp%\­mshttps.dll (12288 B, Win32/Scieron.U)

The trojan creates the following files:

  • %appdata%\­Microsoft\­IME\­winword.exe (22528 B, Win32/Scieron.U)
  • %appdata%\­Microsoft\­IME\­Правила дорожного движения Российской Федерации 2014.docx

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "https" = "rundll32.exe %temp%\­mshttps.dll,LoadPicture"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{B8969153-2214-4d23-B02B-FC8B490F8F55}]
    • "(Default)" = "Microsoft Http Security"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{B8969153-2214-4d23-B02B-FC8B490F8F55}]\­InprocServer32]
    • "(Default)" = "%system%\­mshttps.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{B8969153-2214-4d23-B02B-FC8B490F8F55}]
Information stealing

Win32/Scieron.U is a trojan that steals sensitive information.


The trojan collects the following information:

  • computer name
  • computer IP address
  • operating system version
  • list of disk devices and their type

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan opens the following files:

  • %appdata%\­Microsoft\­IME\­Правила дорожного движения Российской Федерации 2014.docx

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The network communication with remote computer/server is encrypted.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • send files to a remote computer
  • delete files
  • move files
  • uninstall itself
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.