Threat Database Trojans Trojan.Botime

Trojan.Botime

By Sumo3000 in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 9
First Seen: June 14, 2013
Last Seen: September 30, 2021
OS(es) Affected: Windows

Trojan.Botime is a Trojan that distributes other malware infections on to the corrupted PC. While being run, Trojan.Botime replicates itself as the infected file to the specific location. Trojan.Botime then affects the file by patching the export function named 'ImeInquire'. Trojan.Botime creates the registry entries so that it can load automatically every time the keyboard is used. Trojan.Botime also creates other registry entries. Trojan.Botime then makes modifications to the registry entries to alter Internet Explorer settings. Trojan.Botime also makes modifications to other registry entries. Trojan.Botime embeds itself into the process named 'svchost.exe' and runs. Trojan.Botime then decrypts the payload, which is stored in the registry entry, and runs it.

File System Details

Trojan.Botime may create the following file(s):
# File Name Detections
1. %System%\MSCTFIME.IME

Registry Details

Trojan.Botime may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\"ie" = "%CurrentFolder%\[ORIGINAL FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\"it2" = "[BINARY DATA]"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"EnableHttp1_1" = "1"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"DisableCachingOfSSLPages" = "1"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1001" = "3"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"CurrentLevel" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E6861806\"IME File" = "MSCTFIMEEXT.IME"
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Boot\"Runner1" = "[BINARY DATA]"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFavoritesMenu" = "1"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"CertificateRevocation" = "1"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1C00" = "0"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1201" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E6861806\"Layout File" = "KBDUS.DLL"
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\"id2" = "22734842QLBORUB6"
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\"Start Page" = "about:blank"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"PrivacyAdvanced" = "0"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1601" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\"LoadIMM" = "1"
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload\"1" = "E6861806"

Trending

Most Viewed

Loading...