Threat behavior
Trojan:Win32/Drastwor.A is a trojan that downloads and executes arbitrary files. In the wild, it has been observed to be installed by
TrojanDownloader:Win32/Agent.AHD.
Installation
When executed, Trojan:Win32/Drastwor.A makes the following registry modifications:
HCR\CLSID\{2CCEB19B-0A6F-1033-0222-0622060001} Param3 "MTA="
HCR\CLSID\{2CCEB19B-0A6F-1033-0222-0622060001} Param4 "MzAw"
HCR\CLSID\{2CCEB19B-0A6F-1033-0222-0622060001} Param2 "MA=="
HCR\CLSID\{2CCEB19B-0A6F-1033-0222-0622060001} Param1 "MTI4NDYxNTM2MDAwMDAwMDAw"
Payload
Modifies System Settings
Trojan:Win32/Drastwor.A adds the following registry to allow pop-ups from starsdoor.com:
HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow
*.starsdoor.com
Downloads and Executes Arbitrary Files
Trojan:Win32/Drastwor.A connects to a particular URL on the 'xpg56.starsdoor.com' domain. It may also download and execute files from the following domains:
Downloaded files are saved to the Windows %temp% folder and executed from there. These files may include additional malware.
Prevention