Win32/Pterodo [Threat Name] go to Threat

Win32/Pterodo.J [Threat Variant Name]

Category trojan
Size 352726 B
Detection created Jun 07, 2017
Detection database version 15545
Aliases Win32:Malware-gen (Avast)
  SCGeneric1.BKJK.trojan (AVG)
  TR/Razy.pndpq (Avira)
  Exploit.Win32.CVE-2015-2387.foph (Kaspersky)
  Backdoor:Win32/Pterodo!rfn (Microsoft)
  Trojan.Gen.2 (Symantec)
Short description

Win32/Pterodo.J is a trojan that uploads selected files to a remote server.

Installation

When executed, the trojan creates the following files:

  • %temp%\­7ZSfx%variable1%\­fl.cmd (2264 B, Win32/Pterodo.J)
  • %temp%\­7ZSfx%variable1%\­control.dll (487936 B, Win32/Pterodo.J)
  • %installfolder%\­%variable2%.sgh (0 B)
  • %installfolder%\­office.dll (487936 B, Win32/Pterodo.J)

A string with variable content is used instead of %variable1-2% .


The %installfolder% is one of the following strings:

  • %allusersprofile%\­Microsoft\­OFFICE\­DATA
  • %windir%
  • %userprofile%

The trojan executes the following commands:

  • %temp%\­7ZSfx%variable1%\­fl.cmd
  • rundll32.exe %installfolder%\­office.dll,chkupd

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Microsoft.Explorer.Updates" = "%windir%\­system32\­rundll32.exe %isntallfolder%\­office.dll,chkupd"

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %windir%\­system32\­rundll32.exe %installfolder%\­office.dll,chkupd

Trojan starts service Schedule (Task Scheduler) .


The trojan quits immediately if the Windows user name is one of the following:

  • MALTEST
  • TEQUILABOOMBOOM
  • SANDBOX
  • VIRUS
  • MALWARE
  • TEST
  • TROYAN

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • wireshark.exe

The following programs are terminated:

  • rundll32.exe

The trojan then deletes following files:

  • %allusersprofile%\­Microsoft\­OFFICE\­DATA\­*.sgh
  • %windir%\­*.sgh
  • %temp%\­7ZSfx%variable1%\­fl.cmd
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • unique identifier of infected computer
  • volume serial number
  • file(s) content

The trojan searches local, removable and network drives for files with one of the following extensions:

  • .doc
  • .docx
  • .xls
  • .xlsx
  • .odt

When the trojan finds a file matching the search criteria, it creates its duplicate.


The trojan copies the files into the following folder:

  • %localappdata%\­Microsoft\­Windows\­Updates\­files\­

The trojan searches for files and folders on removable drives.


It avoids files with the following extensions:

  • .dll
  • .bin
  • .cab
  • .exe
  • .iso

When the trojan finds a file matching the search criteria, it creates its duplicate.


The trojan copies the files into the following folder:

  • %localappdata%\­Microsoft\­Windows\­Updates\­USB\­

The trojan attempts to send the collected files to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan keeps various information in the following files:

  • %localappdata%\­Microsoft\­Windows\­ihqy2vo8v.dat
  • %localappdata%\­Microsoft\­Windows\­ihqy2vo8v.dat-journal

Please enable Javascript to ensure correct displaying of this content and refresh this page.