Follow:

 

Win32/Filcout


Microsoft security software detects and removes this threat.

This app is used to help you find programs to run unknown files, however it is also known to install variants of the Win32/Sefnit family without your knowledge.

You might download this app yourself, or it might have been installed on your PC by Win32/Rotbrow or Win32/Brantall.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

You might download this app with the name FileScout or File Scout, with the file name filescout.exe. It might also be installed on your PC by a variant of the Win32/Rotbrow or Win32/Brantall families.

It installs the following files:

It creates a shortcut on your PC that might look like this:

 

It registers and installs itself by modifying the registry.

It displays the following window when you try to open a file that isn't associated with any program or app on your PC:
 
Payload

Installs Win32/Sefnit variants and other malware

When running, the app sends a HTTP GET requests to a remote server, which then responds with a command to download a file.

We have seen it send the request to updater-1341016669.<removed>.elb.amazonaws.com/update/update.php?name=filescout&version=50397193&r=1397078091.

We detect the file as a variant of Win32/Sefnit, such as Trojan:Win32/Sefnit.BW.

Analysis by Geoff McDonald and Chris Stubbs


Symptoms

The following could indicate that you have this threat on your PC:

  • You have shortcuts or files related to File Scout, FileScout, or filescout.exe:
     

     
  • You see the following when opening some files:
     

Prevention


Alert level: Severe
This entry was first published on: Apr 23, 2014
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases