Win32/Pterodo [Threat Name] go to Threat

Win32/Pterodo.W [Threat Variant Name]

Category trojan
Size 207725 B
Detection created Sep 28, 2017
Detection database version 16155
Aliases Exploit.Win32.CVE-2015-2387.foqr (Kaspersky)
  Trojan.MulDrop7.42385 (Dr.Web)
Short description

Win32/Pterodo.W is a trojan that uploads selected files to a remote server.

Installation

The trojan is probably a part of other malware.


The trojan may create the following folders:

  • %temp%\­7ZipSfx000\­
  • %appdata%\­TOOLBARS\­
  • %windir%\­TOOLBARS\­

The trojan may create the following files:

  • %temp%\­7ZSfx000.cmd (200 B, Win32/Pterodo.W)
  • %temp%\­7ZipSfx000\­network.cmd (1262 B, Win32/Pterodo.W)
  • %temp%\­7ZipSfx000\­WorkerNet.puffed.exe (155648 B, Win32/Pterodo.W)

The files are then executed.


The trojan creates the following file:

  • %localappdata%\­Microsoft\­Low\­%variable%.flash

A string with variable content is used instead of %variable% .


The trojan may create copies of the following files (source, destination):

  • %temp%\­7ZipSfx000\­WorkerNet.puffed.exe, %appdata%\­TOOLBARS\­cronosnetwork.exe
  • %temp%\­7ZipSfx000\­WorkerNet.puffed.exe, %windir%\­TOOLBARS\­cronosnetwork.exe

Trojan starts service Schedule (Task Scheduler) .


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­TOOLBARS\­cronosnetwork.exe
  • %windir%\­TOOLBARS\­cronosnetwork.exe
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • unique identifier of infected computer
  • volume serial number
  • file(s) content

The trojan attempts to send gathered information to a remote machine.


The trojan collects the following files:

  • %localappdata%\­Microsoft\­Low\­*.*

The trojan attempts to send the collected files to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

Other information

The trojan may delete the following folders:

  • %localappdata%\­Microsoft\­Low\­

The trojan may delete files stored in the following folders:

  • %localappdata%\­Microsoft\­Low\­

The following files are deleted:

  • %temp%\­7ZipSfx000\­network.cmd
  • %temp%\­7ZipSfx000\­WorkerNet.puffed.exe
  • %originalmalwarefile%

Please enable Javascript to ensure correct displaying of this content and refresh this page.