MSIL/HarvBot [Threat Name] go to Threat

MSIL/HarvBot.I [Threat Variant Name]

Category trojan
Size 188416 B
Detection created Jan 13, 2016
Signature database version 12862
Aliases Worm.MSIL.Arcdoor.vse (Kaspersky)
  Trojan.DownLoader18.55647 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Javaupdates\­javaUpdates.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "javaUpdates" = "%appdata%\­Javaupdates\­javaUpdates.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "javaUpdates" = "%appdata%\­Javaupdates\­javaUpdates.exe"

The trojan creates the following file:

  • %appdata%\­Javaupdates\­Set.bin
Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • volume serial number
  • language settings
  • external IP address of the network device
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Payload information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform DoS/DDoS attacks
Other information

The trojan may create the following files:

  • %temp%\­%variable%.exe

The files are then executed.


A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.