Trojan:Win32/Scar.R is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/Scar.R copies itself to the following locations:
- <system folder>\sysrunc.exe
- c:\documents and settings\administrator\application data\daemon.exe
- c:\documents and settings\administrator\application data\microsoft\windows\3dtext.scr
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The attributes of the above files are set to 'hidden' and 'sytem'
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "sysrunc"
With data: "c:\windows\system32\sysrunc.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "Daemon"
With data: "c:\documents and settings\administrator\application data\daemon.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
The malware creates the following files on an affected computer:
Payload
Contacts remote hosts
Trojan:Win32/Scar.R may contact the following remote hosts using port 80:
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 53aa7766ac67c4e8505c54930da3f34455ddce1f.
