Win32/Olmarik [Threat Name] go to Threat
Win32/Olmarik.RN [Threat Variant Name]
Available cleaner [Download Olmarik / Olmasco Cleaner ]
Category | trojan |
Size | 22008 B |
Aliases | Trojan-Downloader.Win32.Agent.dmes (Kaspersky) |
Backdoor.Tidserv.K (Symantec) | |
Trojan:Win32/Alureon.CT (Microsoft) |
Short description
The trojan contains a backdoor. It can be controlled remotely. It uses techniques common for rootkits. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
- %temp%\%random1%.tmp
- %temp%\%random2%.tmp
A string with variable content is used instead of %random1-2% .
The following files are modified:
- %system%\drivers\*.sys
It avoids files with the following filenames:
- fvevol.sys
- ksecdd.sys
- win32k.sys
- pci.sys
The modified file contains the original program code along with the program code of the infiltration.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%random3%]
- "ImagePath" = "%temp%\%random1%.tmp"
- "Type" = 1
A string with variable content is used instead of %random3% .
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
The trojan collects the following information:
- a list of recently visited URLs
- operating system version
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (7) URLs. The HTTP, HTTPS protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "svchost.exe" = 8000
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "MaxHttpRedirects" = 8000
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "EnableHttp1_1" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "CurrentLevel" = 0
- "1601" = 0
- "1400" = 0
The trojan can write its own data to the end of the physical drive.