MSRT April 2012: Win32/Claretore
(Publication) Google search: [1]
| MSRT April 2012: Win32/Claretore | |
|---|---|
| |
| Botnet | |
| Malware | Claretore |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 10 Apr 2012 |
| Editor/Conference | Microsoft |
| Link | http://blogs.technet.com/b/mmpc/archive/2012/04/10/msrt-april-2012-win32-claretore.aspx blog.technet.com (blog.technet.com Archive copy) |
| Author | Tim Liu |
| Type | |
Abstract
“ We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool - Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.
The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server.
The installation and preservation mechanism employed by Claretore is not new but it is aggressive. Claretore drops copy of itself to the user profile's folder and the temp folder, and removes the original copy of the malware. The registry is modified to execute Claretore at every Windows start.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR985,
editor = {Microsoft},
author = {Tim Liu},
title = {MSRT April 2012: Win32/Claretore},
date = {10},
month = Apr,
year = {2012},
howpublished = {\url{http://blogs.technet.com/b/mmpc/archive/2012/04/10/msrt-april-2012-win32-claretore.aspx blog.technet.com}},
}