Win32/Fleercivet [Threat Name] go to Threat

Win32/Fleercivet.AA [Threat Variant Name]

Category trojan
Size 332800 B
Detection created Dec 02, 2014
Detection database version 10813
Aliases Trojan.Win32.Staser.ayda (Kaspersky)
  Trojan:Win32/Fleercivet.D (Microsoft)
Short description

The trojan is designed to artificially generate traffic to certain Internet sites. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­FrameworkUpdate\­Update.exe
  • %appdata%\­FrameworkUpdate\­ChromeUpdate.exe

The trojan registers itself as a system service using the following name:

  • SystemUpdate

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ChromeUpdate" = "%appdata%\­FrameworkUpdate\­ChromeUpdate.exe"

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "DisableFirstRunCustomize" = 1
    • "Play_Background_Sounds" = "no"

The trojan creates the following files:

  • %appdata%\­麽鎒駓覜 (480 B)

The trojan may create the following files:

  • %temp%\­%tempfilename%.tmp (129024 B, Win64/Kryptik.KO)
  • %temp%\­update.exe (129024 B, Win64/Kryptik.KO)

The file is then executed.


The trojan can create and run a new thread with its own program code within the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The following programs are terminated:

  • ctfmon.exe
  • msdt.exe

The following services are disabled:

  • BITS
  • ERSvc
  • MpsSvc
  • SharedAccess
  • WerSvc
  • WinDefend
  • wscsvc
  • wuauserv
Information stealing

The trojan collects the following information:

  • operating system version
  • CPU information
  • country code

The trojan attempts to send gathered information to a remote machine. The UDP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (9) URLs. The UDP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address

The trojan is designed to artificially generate traffic to certain Internet sites.


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan keeps various information in the following files:

  • %commonappdata%\­@system3.att
  • %commonappdata%\­@system.temp

The trojan can delete cookies.


The trojan may execute the following commands:

  • %programfiles%\­Internet Explorer\­iexplore.exe -noframemerging %variable%
  • %programfiles%\­Internet Explorer\­iexplore.exe  %variable%

A string with variable content is used instead of %variable% .


The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.