Win32/IcoScript [Threat Name] go to Threat

Win32/IcoScript.A [Threat Variant Name]

Category trojan
Size 69632 B
Aliases Trojan.Win32.Vilsel.bmrd (Kaspersky)
  Trojan:Win32/Vilsel.C (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan may create the following files:

  • %appdata%\­A3D\­A3DUtility.exe (Win32/IcoScript.A)
  • %appdata%\­A3D\­A3DUtility.ico
  • %appdata%\­A3D\­license.lua
  • %appdata%\­A3D\­0.bat
  • %templates%\­A3D\­A3DUtility.exe (Win32/IcoScript.A)
  • %templates%\­A3D\­A3DUtility.ico
  • %templates%\­A3D\­license.lua
  • %templates%\­A3D\­0.bat
  • %temp%\­tmp00102f8f\­Common\­RST%variable%.jpg

A string with variable content is used instead of %variable% .

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "A3D" = "%appdata%\­A3D\­A3DUtility.exe"
    • "A3D" = "%templates%\­A3D\­A3DUtility.exe"

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) addresses. The SMTP, POP3 protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • visit a specific website
  • delete files

The trojan may affect the behavior of the following applications:

  • Internet Explorer

The trojan may delete files stored in the following folders:

  • %cookies%

It avoids files with the following filenames:

  • desktop.ini
  • index.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.