Win32/Trustezeb [Threat Name] go to Threat
Win32/Trustezeb.C [Threat Variant Name]
| Category | trojan |
| Size | 69632 B |
| Aliases | Trojan:Win32/Matsnu (Microsoft) |
| GenericDropper!1uz.trojan (McAfee) |
Short description
Win32/Trustezeb.C is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself in some of the the following locations:
- %appdata%\%variable1%\%variable2%.exe
- %userprofile%\%variable1%\%variable2%.exe
- %temp%\%variable1%\%variable2%.exe
- %temp%\%variable3%.pre
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable4%" = "%malwarefilepath%"
A string with variable content is used instead of %variable1-4% .
The trojan quits immediately if the executable file path contains one of the following strings in its path:
- sand-box
The trojan creates and runs a new thread with its own program code within the following processes:
- ctfmon.exe
- explorer.exe
- svchost.exe
The trojan displays the following dialog box:
Information stealing
The trojan collects the following information:
- disk serial number (without spaces)
- computer name
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (5) URLs. The HTTP, HTTPS, FTP protocol is used.
It can execute the following operations:
- update itself to a newer version
- download files from a remote computer and/or the Internet
- run executable files
The trojan may create the following files:
- %temp%\%variable5%.ZL
- %temp%\%variable5%.ZL.$
- %system%\%variable5%.ZL
- %system%\%variable5%.ZL.$
A string with variable content is used instead of %variable5% .
The trojan may attempt to delete all files on the local drives.
The trojan may cause the operating system to crash.