Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > O

Threat Encyclopaedia

Print this pageSend

Win32/Otlard.A

Aliases:Backdoor.Win32.IEbooot.brr (Kaspersky), TrojanDropper:Win32/Otlard.A (Microsoft), W32/Backdoor2.ETQO (F-Secure) 
Type of infiltration:Trojan  
Size:19420 B 
Affected platforms:Microsoft Windows 
Signature database version:4404 (20090907) 

Short description

Win32/Otlard.A installs a backdoor that can be controlled remotely.

Installation

The trojan does not create any copies of itself.

The following file is dropped into the %system%\drivers\ folder:
  • %variable%.sys (17376 B)
Installs the following system drivers (path, name):
  • %system%\drivers\%variable%.sys, %variable%
A string with variable content is used instead of %variable%.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of 6 URLs. It tries to download several files from the addresses. The HTTP protocol is used.

The files are then executed.

The trojan creates and runs a new thread with its own program code within the following processes:
  • %system%\svchost.exe
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SYSTEM]
    "Randseed_1" = %hex_value%
    "Randseed_2" = %hex_value%
A string with variable content is used instead of %hex_value%.