FraudLoad.WBPW is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. FraudLoad.WBPW is compressed using the executable packer and its file size is 20,481 bytes. It uses the network connection: - Looks for an Internet connection.
- Opens URL: http://thcway.info/ff/sz.phpver=ha3.
- Connects to "thcway.info" on port 80 (TCP).
It also changes Windows registry: - Sets value "UserID"="1C641D3E6DC73F0" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer".
- Creates value "Diagnostic Manager"="C:\sample.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
- Sets value "SuperHidden"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced".
It also is executed every time Windows starts.
|