Follow:

 

Trojan:Win32/Miuref.A


Microsoft security software detects and removes this threat.
 
This threat is a malicious program that is unable to spread of its own accord. It can perform a number of actions of a hacker's choice on your PC.

The Win32/Miuref family description has for more information.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Remove browser add-ons

You may need to remove add-ons from your browser:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
Trojan:Win32/Miuref.A creates the following files on your computer:

  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\mcghndocmfmaaekogkfghfpbjjbohcnf\2.0.3\background.js
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\mcghndocmfmaaekogkfghfpbjjbohcnf\2.0.3\content.js
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\mcghndocmfmaaekogkfghfpbjjbohcnf\2.0.3\manifest.json
  • c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\services\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico
  • c:\documents and settings\administrator\local settings\temp\data.dat
  • c:\documents and settings\administrator\local settings\temp\gtkqavlz.exe - detected as Trojan:Win32/Miuref.A
  • c:\documents and settings\administrator\local settings\temp\setup.dat
Payload
Contacts remote hosts
Trojan:Win32/Miuref.A may contact the following remote hosts using port 80:

  • 185.6.80.139
  • www.live.com

Commonly, malware may contact a remote host for the following purposes:
  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1 472e5fcc7dc1228779e7c0c06f6c1c584e527059.

Symptoms

System changes
The following could indicate that you have this threat on your PC:

  • The presence of the following files:

    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\mcghndocmfmaaekogkfghfpbjjbohcnf\2.0.3\background.js
    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\mcghndocmfmaaekogkfghfpbjjbohcnf\2.0.3\content.js
    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\mcghndocmfmaaekogkfghfpbjjbohcnf\2.0.3\manifest.json
    c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\services\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico
    c:\documents and settings\administrator\local settings\temp\data.dat
    c:\documents and settings\administrator\local settings\temp\gtkqavlz.exe
    c:\documents and settings\administrator\local settings\temp\setup.dat
 

Prevention


Alert level: Severe
First detected by definition: 1.165.50.0
Latest detected by definition: 1.185.1222.0 and higher
First detected on: Dec 17, 2013
This entry was first published on: Dec 19, 2013
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Troj/VBdrop-AP (Sophos)
  • Trojan Horse (Symantec)