Win32/Otlard [Threat Name] go to Threat

Win32/Otlard.A [Threat Variant Name]

Category trojan
Size 19420 B
Aliases Backdoor.Win32.IEbooot.brr (Kaspersky)
  TrojanDropper:Win32/Otlard.A (Microsoft)
  W32/Backdoor2.ETQO (F-Secure)
Short description

Win32/Otlard.A installs a backdoor that can be controlled remotely.


The trojan does not create any copies of itself.

The following file is dropped into the %system%\drivers\ folder:

  • %variable%.sys (17376 B)

Installs the following system drivers (path, name):

  • %system%\­drivers\­%variable%.sys, %variable%

A string with variable content is used instead of %variable% .

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of 6 URLs. It tries to download several files from the addresses. The HTTP protocol is used.

The files are then executed.

The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe

The trojan may set the following Registry entries:

    • "Randseed_1" = %hex_value%
    • "Randseed_2" = %hex_value%

A string with variable content is used instead of %hex_value% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.