Win32/Fatoos [Threat Name] go to Threat
Win32/Fatoos.A [Threat Variant Name]
Category | trojan |
Size | 14848 B |
Aliases | Trojan.Win32.Fatoos.a (Kaspersky) |
Trojan:Win32/Startpage.gen!A (Microsoft) | |
Downloader (Symantec) |
Short description
Win32/Fatoos.A is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan copies itself into the following location:
- %system%\svcsys.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "MSSVC" = "%system%\svcsys.exe 8192"
The trojan changes the home page of the following web browsers:
- Microsoft Internet Explorer
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Start Page" = "http://i-search.us/"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\FastWebTools]
- [HKEY_CURRENT_USER\Software\FastWebTools\Commands]
- [HKEY_CURRENT_USER\Software\FastWebTools\ETrans]
- [HKEY_CURRENT_USER\Software\FastWebTools\Squad]
- "PU" = "PU"
Other information
The trojan contains an URL address. It tries to download a file from the address.
The file is stored in the following location:
- C:\msdvx.exe
The file is then executed. The HTTP protocol is used.
The trojan may delete the following files:
- C:\msdvx.exe
- C:\istart.exe
- C:\x.exe
- C:\y.exe