Win32/Urelas [Threat Name] go to Threat
Win32/Urelas.U [Threat Variant Name]
| Category | trojan |
| Size | 84083 B |
| Aliases | Trojan:Win32/Urelas.AA (Microsoft) |
| Trojan.DownLoader9.15094 (Dr.Web) |
Short description
Win32/Urelas.U is a trojan which tries to download other malware from the Internet. The file is run-time compressed using Packman .
Installation
When executed, the trojan copies itself into the following location:
- %system%\opert.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Run" = "%system%\opert.exe"
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- operating system version
- installed software
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan contains a list of (3) URLs.
It tries to download several files from the addresses.
The files are stored in the following locations:
- %temp%\datse.exe
- %currentfolder%\tmp%variable%.exe
A string with variable content is used instead of %variable% .
The files are then executed.
The TCP protocol is used.
The trojan keeps various information in the following files:
- %system%\golfinfo.ini
- %system%\golfset.ini
- %temp%\golfinfo.ini
- %temp%\golfset.ini
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "TrayKey" = "datse"