You might download this app with the name FileScout or File Scout, with the file name filescout.exe. It might also be installed on your PC by a variant of the Win32/Rotbrow or Win32/Brantall families.
It installs the following files:
It creates a shortcut on your PC that might look like this:
It registers and installs itself by modifying the registry.
It displays the following window when you try to open a file that isn't associated with any program or app on your PC:
Installs Win32/Sefnit variants and other malware
When running, the app sends a HTTP GET requests to a remote server, which then responds with a command to download a file.
We have seen it send the request to updater-1341016669.<removed>.elb.amazonaws.com/update/update.php?name=filescout&version=50397193&r=1397078091.
We detect the file as a variant of Win32/Sefnit, such as Trojan:Win32/Sefnit.BW.
Analysis by Geoff McDonald and Chris Stubbs
The following could indicate that you have this threat on your PC:
- You have shortcuts or files related to File Scout, FileScout, or filescout.exe:
- You see the following when opening some files: