Win32/Tomyjery [Threat Name] go to Threat

Win32/Tomyjery.A [Threat Variant Name]

Category trojan
Size 74752 B
Detection created Apr 13, 2017
Detection database version 15253
Aliases Backdoor.Felismus (Symantec)
  Backdoor:Win32/Tomyjery.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan may create copies of itself using the following filenames:

  • %malwarefilepathwithoutextension%.bak

The trojan may create the following folders:

  • %appdata%\­Microsoft\­Security
  • %appdata%\­Microsoft\­Security\­logs
  • %appdata%\­Microsoft\­Security\­datas
  • %temp%\­Microsoft\­Security
  • %temp%\­Microsoft\­Security\­logs
  • %temp%\­Microsoft\­Security\­datas

The trojan may create the following files:

  • %appdata%\­Microsoft\­Security\­%variable1% (0 B)
  • %appdata%\­Microsoft\­Security\­converts.dll (Win32/Tomyjery.A, 46080 B)
  • %appdata%\­Microsoft\­Security\­data
  • %appdata%\­Microsoft\­Security\­datas\­%variable2%.tmp
  • %appdata%\­Microsoft\­Security\­HTTPDLL.dll (Win32/Tomyjery.A, 34304 B)
  • %appdata%\­Microsoft\­Security\­HTTPDLL.h
  • %appdata%\­Microsoft\­Security\­logs.txt
  • %appdata%\­Microsoft\­Security\­logs\­logs-%timedatestamp%.txt
  • %appdata%\­Microsoft\­Security\­ti.dat
  • %appdata%\­Microsoft\­Security\­Update.exe
  • %temp%\­%variable3%.tmp
  • %temp%\­Microsoft\­Security\­%variable1% (0 B)
  • %temp%\­Microsoft\­Security\­converts.dll (Win32/Tomyjery.A, 46080 B)
  • %temp%\­Microsoft\­Security\­data
  • %temp%\­Microsoft\­Security\­datas\­%variable2%.tmp
  • %temp%\­Microsoft\­Security\­HTTPDLL.dll (Win32/Tomyjery.A, 34304 B)
  • %temp%\­Microsoft\­Security\­HTTPDLL.h
  • %temp%\­Microsoft\­Security\­logs.txt
  • %temp%\­Microsoft\­Security\­logs\­logs-%timedatestamp%.txt
  • %temp%\­Microsoft\­Security\­ti.dat
  • %temp%\­Microsoft\­Security\­Update.exe

The trojan may delete the following files:

  • %appdata%\­Microsoft\­Security\­datas\­%variable2%.tmp
  • %appdata%\­Microsoft\­Security\­HTTPDLL.h
  • %appdata%\­Microsoft\­Security\­logs\­logs-%timedatestamp%.txt
  • %temp%\­Microsoft\­Security\­datas\­%variable2%.tmp
  • %temp%\­Microsoft\­Security\­HTTPDLL.h
  • %temp%\­Microsoft\­Security\­logs\­logs-%timedatestamp%.txt

A string with variable content is used instead of %variable1-3% .

Information stealing

Win32/Tomyjery.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • user name
  • language settings
  • computer IP address
  • proxy server settings
  • list of running processes
  • installed antivirus software
  • installed firewall application

The trojan can send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • send the list of running processes to a remote computer
  • create files
  • send the output of the executed program
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.