Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Otlard.A

Aliases:Backdoor.Win32.IEbooot.brr (Kaspersky), TrojanDropper:Win32/Otlard.A (Microsoft), W32/Backdoor2.ETQO (F-Secure) 
Type of infiltration:Trojan  
Size:19420 B 
Affected platforms:Microsoft Windows 
Signature database version:4404 (20090907) 

Short description

Win32/Otlard.A installs a backdoor that can be controlled remotely.

Installation

The trojan does not create any copies of itself.

The following file is dropped into the %system%drivers folder:
  • %variable%.sys (17376 B)
Installs the following system drivers (path, name):
  • %system%drivers%variable%.sys, %variable%
A string with variable content is used instead of %variable%.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of 6 URLs. It tries to download several files from the addresses. The HTTP protocol is used.

The files are then executed.

The trojan creates and runs a new thread with its own program code within the following processes:
  • %system%svchost.exe
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEM]
    "Randseed_1" = %hex_value%
    "Randseed_2" = %hex_value%
A string with variable content is used instead of %hex_value%.