Win32/Olmarik [Threat Name] go to Threat

Win32/Olmarik.RN [Threat Variant Name]

Category	trojan
Size	22008 B
Aliases	Trojan-Downloader.Win32.Agent.dmes (Kaspersky)
	Backdoor.Tidserv.K (Symantec)
	Trojan:Win32/Alureon.CT (Microsoft)

The trojan contains a backdoor. It can be controlled remotely. It uses techniques common for rootkits. The file is run-time compressed using UPX .

When executed, the trojan creates the following files:

A string with variable content is used instead of %random1-2% .

The following files are modified:

It avoids files with the following filenames:

The modified file contains the original program code along with the program code of the infiltration.

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%random3%]
- "ImagePath" = "%temp%\%random1%.tmp"
- "Type" = 1

A string with variable content is used instead of %random3% .

The trojan may create and run a new thread with its own program code within any running process.

The trojan collects the following information:

The trojan can send the information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (7) URLs. The HTTP, HTTPS protocol is used.

It can execute the following operations:

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "svchost.exe" = 8000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "MaxHttpRedirects" = 8000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "EnableHttp1_1" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "CurrentLevel" = 0
- "1601" = 0
- "1400" = 0

The trojan can write its own data to the end of the physical drive.