TrojanDownloader:Win32/Stegvob is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer.
Modifies system security settings
TrojanDownloader:Win32/Stegvob adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modification:
Adds value: "<malware file>.exe"
With data: "<malware file>.exe:*:enabled:ldrsoft"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Contacts remote host
The malware may contact a remote host at 220.127.116.11 using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Stegvob has been observed downloading malware from the following malware families onto affected computers: