Win64/Fleercivet [Threat Name] go to Threat
Win64/Fleercivet.AE [Threat Variant Name]
| Category | trojan |
| Size | 105472 B |
| Aliases | Trojan.Win32.Scar.oape (Kaspersky) |
| Trojan:Win32/Dorv.D!rfn (Microsoft) |
Short description
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\BrowserMe\ChromeUpdate.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "BrowserMe" = "%appdata%\BrowserMe\ChromeUpdate.exe"
The trojan launches the following processes:
- %windir%\system32\svchost.exe -k netsvcs
- %windir%\SysWOW64\svchost.exe -k netsvcs
- %programfiles%\Internet Explorer\iexplore.exe
- %programfiles%\Google\Chrome\Application\chrome.exe
The trojan creates and runs a new thread with its own code within these running processes.
The trojan creates the following files:
- %appdata%\u00BD\u009E\u0092\u0093\u00D3\u0099\u009C\u0089 (480 B)
- %commonappdata%\@system3.att (656 B)
The trojan may create the following files:
- %localappdata%\Google\Chrome\local.dat
- %localappdata%\Google\Chrome\clocal.dat
- %localappdata%\Google\Chrome\Plug\background.html (68 B)
- %localappdata%\Google\Chrome\Plug\background.js (204 B)
- %localappdata%\Google\Chrome\Plug\contentscript.js (23580 B)
- %localappdata%\Google\Chrome\Plug\fix.css (207 B)
- %localappdata%\Google\Chrome\Plug\icon-128.png (18489 B)
- %localappdata%\Google\Chrome\Plug\manifest.json (478 B)
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "DisableFirstRunCustomize" = 1
- "Play_Background_Sounds" = "no"
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
Information stealing
The trojan collects the following information:
- country code
- operating system version
The trojan attempts to send gathered information to a remote machine. The UDP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (6) URLs. The HTTP, UDP protocol is used in the communication.
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.
The trojan keeps various information in the following files:
- %appdata%\u00BD\u009E\u0092\u0093\u00D3\u0099\u009C\u0089
- %commonappdata%\@system3.att
- %commonappdata%\@000001.dat