Win64/Fleercivet [Threat Name] go to Threat

Win64/Fleercivet.AE [Threat Variant Name]

Category trojan
Size 105472 B
Detection created Mar 10, 2016
Detection database version 13156
Aliases Trojan.Win32.Scar.oape (Kaspersky)
  Trojan:Win32/Dorv.D!rfn (Microsoft)
Short description

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­BrowserMe\­ChromeUpdate.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "BrowserMe" = "%appdata%\­BrowserMe\­ChromeUpdate.exe"

The trojan launches the following processes:

  • %windir%\­system32\­svchost.exe -k netsvcs
  • %windir%\­SysWOW64\­svchost.exe -k netsvcs
  • %programfiles%\­Internet Explorer\­iexplore.exe
  • %programfiles%\­Google\­Chrome\­Application\­chrome.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates the following files:

  • %appdata%\­u00BD\­u009E\­u0092\­u0093\­u00D3\­u0099\­u009C\­u0089 (480 B)
  • %commonappdata%\­@system3.att (656 B)

The trojan may create the following files:

  • %localappdata%\­Google\­Chrome\­local.dat
  • %localappdata%\­Google\­Chrome\­clocal.dat
  • %localappdata%\­Google\­Chrome\­Plug\­background.html (68 B)
  • %localappdata%\­Google\­Chrome\­Plug\­background.js (204 B)
  • %localappdata%\­Google\­Chrome\­Plug\­contentscript.js (23580 B)
  • %localappdata%\­Google\­Chrome\­Plug\­fix.css (207 B)
  • %localappdata%\­Google\­Chrome\­Plug\­icon-128.png (18489 B)
  • %localappdata%\­Google\­Chrome\­Plug\­manifest.json (478 B)

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "DisableFirstRunCustomize" = 1
    • "Play_Background_Sounds" = "no"

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Information stealing

The trojan collects the following information:

  • country code
  • operating system version

The trojan attempts to send gathered information to a remote machine. The UDP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. The HTTP, UDP protocol is used in the communication.


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan keeps various information in the following files:

  • %appdata%\­u00BD\­u009E\­u0092\­u0093\­u00D3\­u0099\­u009C\­u0089
  • %commonappdata%\­@system3.att
  • %commonappdata%\­@000001.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.