1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Cidox.B Activity

System Infected: Trojan.Cidox.B Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects the network activity generated by Trojan.Cidox.B which could lead to the infected system being compromised to remote hosts.

Additional Information

When the Trojan is executed, it creates the following files:
%UserProfile%/My Documents/AppData/explorer.exe
%UserProfile%/My Documents/AppData/explorer.dat
%UserProfile%/My Documents/AppData/
%UserProfile%/My Documents/AppData/exp.dat
%UserProfile%/My Documents/AppData/exp.exe

The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"~backup~" = "%UserProfile%/My Documents/AppData/explorer.exe"

The Trojan has virtual machine detection capabilities.

It searches for and disables security products from the following vendors:
AVG
Avira
Bit Defender
Avast
DrWeb
Kaspersky
Microsoft Security Essentials
ESET
Symantec
McAfee
TrendMicro

The Trojan can inject code in the following browsers:
Internet Explorer
Firefox
Opera
Chrome
Safari

The Trojan may then redirect the above browsers to any of the following remote locations:
declicktold.com
gewarerow.com
qubalibs.com
perupdaterin.com

Next, the Trojan gathers the following information from the compromised computer and sends it to one of the above remote locations:
Operating system version
Virtual machine details, if present
Processor type

The Trojan may also modify the HTTP request header to make it appear to be coming from another location.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube