Win32/Sedkom [Threat Name] go to Threat
Win32/Sedkom.AA [Threat Variant Name]
| Category | trojan |
| Size | 628224 B |
| Detection created | Oct 03, 2015 |
| Detection database version | 12352 |
| Aliases | Trojan.VBS.Agent.xd (Kaspersky) |
| Trojan.Mdropper (Symantec) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan creates the following files:
- %temp%\%variable1%.dll (15360 B)
- %temp%\%variable1%.tmp (66256 B)
- %temp%\%originalmalwarefilename% (150528 B)
A string with variable content is used instead of %variable1% .
The trojan executes the following command:
- regsvr32 /s "%temp%\%variable1%.dll"
The trojan creates copies of the following files (source, destination):
- %temp%\%originalmalwarefilename%, %originalmalwarefilepath%
The trojan executes the following files:
- %originalmalwarefilepath%
The trojan creates the following files:
- %systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Network Checker.lnk
- %systemdrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\Network Checker.lnk
- %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Network Checker.lnk
- %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network Checker.lnk
- %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Network Checker.lnk
The file is a shortcut to a following file:
- regsvr32 /s "%temp%\%variable1%.dll"
This causes the trojan to be executed on every system start.
Information stealing
Win32/Sedkom.AA is a trojan that steals sensitive information.
The following information is collected:
- computer name
- operating system version
- user name
- user domain name
- MAC address
- computer IP address
- installed Microsoft Windows patches
- proxy server settings
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URL addresses. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- upload files to a remote computer
- send the list of running processes to a remote computer
- terminate running processes
- execute JavaScript code
- execute shell commands
- send the output of the executed program
- send the list of disk devices and their type to a remote computer
- create files
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1601" = 0
The trojan may create the following files:
- %temp%\ErrLog.txt
- %temp%\VMjc%variable2%.dll
- %temp%\VMjc%variable2%.ini
- %temp%\VMjc%variable2%.out
- %temp%\VMjc%variable3%
- %temp%\VMjc%variable3%.tmp
A string with variable content is used instead of %variable2-3% .
Trojan requires the Microsoft Excel to run.