Follow:

 

TrojanDownloader:Win32/Siromost.A


Microsoft security software detects and removes this threat.
 
This threat downloads and installs other programs onto your PC without your consent, including other malware.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation
TrojanDownloader:Win32/Siromost.A creates the following files on your PC:

  • %windir%\temp\scse.tmp
  • %windir%\temp\scsf.tmp
  • <current folder>\8732.bat
  • <current folder>\nlbhost.dat
  • <current folder>\nlbhost.exe
  • c:\documents and settings\administrator\application data\microsoft\crypto\rsa\s-1-5-21-1844237615-2111687655-839522115-500\35e1583e1c692dff72d263b5602b7694_7f5ed85d-6828-4f92-858c-f40b0ac68138
  • c:\documents and settings\administrator\application data\microsoft\protect\s-1-5-21-1844237615-2111687655-839522115-500\5ffd5214-3508-4f62-94d9-daf64ae0271e
  • c:\documents and settings\administrator\application data\microsoft\protect\s-1-5-21-1844237615-2111687655-839522115-500\preferred
Payload
Contacts remote host
 
TrojanDownloader:Win32/Siromost.A might contact a remote host at thirdbase.bugs3.com using port 80. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 265fdeb993a09d2350daa130de4ce5b662bed628.

Symptoms

System changes
The following could indicate that you have this threat on your PC:

  • You have these files:

    %windir%\temp\scse.tmp
    %windir%\temp\scsf.tmp
    <current folder>\8732.bat
    <current folder>\nlbhost.dat
    <current folder>\nlbhost.exe
    c:\documents and settings\administrator\application data\microsoft\crypto\rsa\s-1-5-21-1844237615-2111687655-839522115-500\35e1583e1c692dff72d263b5602b7694_7f5ed85d-6828-4f92-858c-f40b0ac68138
    c:\documents and settings\administrator\application data\microsoft\protect\s-1-5-21-1844237615-2111687655-839522115-500\5ffd5214-3508-4f62-94d9-daf64ae0271e
    c:\documents and settings\administrator\application data\microsoft\protect\s-1-5-21-1844237615-2111687655-839522115-500\preferred
 

Prevention


Alert level: Severe
First detected by definition: 1.165.3355.0
Latest detected by definition: 1.165.3355.0 and higher
First detected on: Feb 05, 2014
This entry was first published on: Feb 09, 2014
This entry was updated on: Feb 12, 2014

This threat is also detected as:
  • Trojan-Downloader.Win32.Agent.hdzh (Kaspersky)