Trojan.Fotomoto.H

Trojan.Fotomoto.H symptoms:

- Presence of a key named "DomainService" in "HKLMSytemCurentControlSetServices".
- Appearance of a process with rights as a system service with the description "DDC".

Trojan.Fotomoto.E is an trojan with adware components, monitoring popup activity.
If installed the malware performs the following actions on your computer:

a) It works with random named files in “%windows%temp” directory and connects to a internet server and reports some basic informations about your computer which are stored in a database on that server ( 23.244.141.*** ).


b) It modifies the following registry entry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
"SFCDisable" = "4"

This will stop the Windows File Protection from giving notification on replacement of system files or building a log for events.

c) If creates the following registry entries:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainService
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServicedb_number
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServicedomains_list
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServiceinstallation_id
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServiceinternal_affiliate_id
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServicenext_url_post_time
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDomainServiceuser_id
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainService
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceDescription with value “DomainService”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceDisplayName with value “DomainService”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceErrorControl
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceFailureActions
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceImagePath with the value of the executed malware
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceObjectName
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceStart
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceType
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDomainServiceSecurity

d) It creates a process that runs as a service which creates an event that in case its process is closed it restarts itself thus changing it’s process ID.

e) It downloads another malware in “%Temp%aupddc.exe” and puts it into “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” registry key. So it’s executed when Windows starts.

f) It modifies the registry key "HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList" so it overruns Windows Firewall and executes itself without the users consent.