TROJ_COSSTA.EF
Trojan.Win32.Cossta (Ikarus), probably a variant of Win32/VB.NTK trojan (Eset)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan may be dropped by other malware.
TECHNICAL DETAILS
22,528 bytes
EXE
14 Nov 2013
Arrival Details
This Trojan may be dropped by other malware.
Installation
This Trojan drops the following file(s)/component(s):
- %User Startup%\Sysini.exe
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
It creates the following folders:
- %User Profile%\B0B2D6E3
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}o.{BLOCKED}/AHGjxG
It attempts to access the following websites to download files, which are possibly malicious:
- {BLOCKED}.{BLOCKED}liveira.com.br
- {BLOCKED}.{BLOCKED}ariaquake.com.br