Win32/Olmasco [Threat Name] go to Threat
Win32/Olmasco.R [Threat Variant Name]
Available cleaner [Download Olmarik / Olmasco Cleaner ]
Category | trojan |
Size | 974848 B |
Aliases | Trojan.Win32.Agent.hvbj (Kaspersky) |
Trojan:Win32/Alureon.FE (Microsoft) | |
DNSChanger.cq.b (McAfee) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %temp%\MRT.exe
- %temp%\%random%.tmp
Win32/Olmasco.R replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.
The trojan writes its own data to the end of the physical drive.
The trojan may create and run a new thread with its own program code within any running process.
Other information
The trojan hides its presence in the system.
It uses techniques common for rootkits.
The trojan contains both 32-bit and 64-bit program components.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan disables various security related applications.
The trojan may perform operating system restart.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (8) URLs. The HTTP protocol is used.
It can execute the following operations:
- update itself to a newer version
- download files from a remote computer and/or the Internet
- run executable files
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver]
The trojan attempts to delete the following files:
- %system%\drivers\mbam.sys